Date   

Re: [spdx-tech] Should SPDX endorse SCA tools?

Kate Stewart
 

We've got a lot of historical cruft in our SPDX repo as well.  Coming up with some criteria for inclusion & removal is overdue.

After we settle the 3.0 template issue,  you up for dedicating part of a call to sketch out the repository inclusion criteria?  Then we'll do an assessment/clean up pass. 

Thanks, 
Kate


On Tue, Jun 29, 2021 at 1:29 PM Thomas Steenbergen <opensource@...> wrote:

Hi,

 

Continuing the discussion in today’s SPDX Tech call here on “Should SPDX endorse SCA tools?” - so other people in the SPDX community get the opportunity to share their opinion.

 

Following  Software Bill of Materials (SBOM) Industry Standard, Research, Training, and Tools to Improve Cybersecurity Practices announcement, I got the feedback form within my network asking me about the “official” SPDX SCA* tool (spdx-sbom-generator) – some project/technical question and remarks about the quality of the SBOM it produces.

 

I then realized that as spdx-sbom-generator is hosted on spdx GitHub org one can see it as an endorsement from SPDX. In OpenChain community, who also develops it specification, a deliberate choice was made to not endorse any tools as I was told a specification should be tooling neutral to facilitate broad adoption and healthy tooling ecosystem supporting the specification.

 

I think it may be a good idea for SPDX to do the same, as it’s possible to validate a SPDX SBOM per the specification but we cannot easily validate if SBOM is actually a good representation of reality.

Most build tools are meant to build code and do not to produce an SBOM.  As a result, SCA tools on the market generally do a best effort approach and thereby miss OSS or get OSS license or metadata wrong.

 

Let me know what you think.

 

* SCA = Software Composition Analysis

 

Regards,

 

Thomas Steenbergen

 

 

 

 

 

 

 


Re: SPDX June General Meeting Minutes

Steve Winslow
 

Hi Philippe,

Thanks for your comments and thoughts on this. I know this was a couple of weeks ago, but I had a few thoughts I wanted to share.

You're right that the Community Specification License is not an OSI-approved license, nor on the SPDX License List (though I'm expecting to submit it to the License List shortly). Whether or not SPDX adopts it for our project, I'm aware that several other collaborative specifications-development efforts are using or evaluating it.  E.g., FINOS (the Fintech Open Source Foundation) adopted it in April for all their new spec development efforts going forward, and I understand that other projects are currently considering it. So I don't think that proliferation is likely to be a concern here, as it is seeing uptake in any case.

I wouldn't expect OSI to consider or approve it for OSI approval, because it isn't a software license. It's particularly tailored to the unique issues around specifications. I'm not an author of the Community Specification License, but I think that it brings several advantages, primarily in the area of patent licenses.

For development of specifications, it's relevant to have not just copyright but also patent licenses. And, differently from software, for specifications the patent license that matters is one that covers implementations developed in accordance with the spec. Patent licenses in open source software licenses are naturally tied to that particular piece of software; but for specs, it would be important to have it extend to downstream implementations of the spec. That's why just switching to a FOSS software license with explicit patent commitments like Apache-2.0 wouldn't address this (whether with or without a DCO sign-off).

The Community Specification License includes an explicit patent license commitment for implementations of the spec. And, that patent license grant is for the spec as a whole -- not just what the contributor themself contributes. I won't get into all the specifics here, but I think this broad deactivation of patents among contributors within the spec's defined scope is a big benefit. It gives implementors of the spec greater comfort that they won't be subject to contributors' patent claims within that scope.

I'm putting together more detailed thoughts for the proposal that was described on the General Meeting, and expecting to share those with the community shortly. So I'll leave it there for now, but just wanted to share these thoughts as a preview. More to come soon.

Best,
Steve



On Fri, Jun 4, 2021 at 11:28 AM Philippe Ombredanne <pombredanne@...> wrote:
Dear Phil:
Thank you for these minutes! I want to comment on the spec license topic.

On Fri, Jun 4, 2021 at 3:16 PM Phil Odence via lists.spdx.org
<phil.odence=synopsys.com@...> wrote:

> The most significant change would be to change the license for the spec to the Community Specification License. This is a license purpose built for specifications. Like the existing CC license, it grants a broad copyright license to the spec itself. Additionally, requires contributors to grant licenses to any patents that might cover implementations of the spec. This would address user concerns about the possibility that an SPDX contributor seeking to enforce patents that they might hold that cover the spec.

The governance updates make change, but I cannot fathom the benefits
of switching the spec license to a reasonably new, unproven and
uncommon license that is neither OSI-approved, nor on the SPDX license
list and not even for consideration there at this stage.

If you have patents concerns, I would rather see these addressed by a
simple DCO signoff and an update of the project contribution policies.
This would put the omen to comply on contributors rather than putting
the burden on the users to have to deal with yet another license.

Additionally, it does not feel right if SPDX contributes to license
proliferation.

--
Cordially
Philippe Ombredanne

+1 650 799 0949 | pombredanne@...
DejaCode - What's in your code?! - http://www.dejacode.com
ScanCode - The S in SCA stands for ScanCode -
https://github.com/nexB/scancode-toolkit
AboutCode - Open source for open source - https://www.aboutcode.org
nexB Inc. - http://www.nexb.com







--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation


The SPDX chatroom is now on Libera.Chat; please feel free to join!

Sebastian Crane
 

Dear all,

I bring good news: with the approval of the Libera.Chat staff, the #spdx
IRC channel is now registered! This should be a great place to help
introduce newcomers to the SPDX project, as well as to discuss Software
Bill of Materials-related topics with existing adopters and working
group members.

Philippe Ombredanne (pombreda) and I (seabass) are 'operators' of the
channel, thus able to change its settings if this is required.

If you are already familiar with IRC and have a client installed, you
can just join #spdx on irc.libera.chat.

As another option, you can join with Libera.Chat's web interface (no
need to enter a password) at: https://web.libera.chat/#spdx

Finally, you can join via your Matrix account. Our channel's Matrix
address is: #spdx:libera.chat

Of the three options above, only Matrix allows you to see chat history
from when you aren't connected, so this may be the best way to join if
you are already used to other instant messaging apps. However, you do
need to sign up for an account on a 'homeserver' - here's the flagship
homeserver: https://app.element.io/#/register

Please let me know if there's any trouble in joining the channel with
any of the methods above; I'll do my best to help you get connected :)
Looking forward to chatting with you on #spdx!

Best wishes,

Sebastian Crane


Re: SPDX June General Meeting Minutes

Philippe Ombredanne
 

Dear Phil:
Thank you for these minutes! I want to comment on the spec license topic.

On Fri, Jun 4, 2021 at 3:16 PM Phil Odence via lists.spdx.org
<phil.odence=synopsys.com@lists.spdx.org> wrote:

The most significant change would be to change the license for the spec to the Community Specification License. This is a license purpose built for specifications. Like the existing CC license, it grants a broad copyright license to the spec itself. Additionally, requires contributors to grant licenses to any patents that might cover implementations of the spec. This would address user concerns about the possibility that an SPDX contributor seeking to enforce patents that they might hold that cover the spec.
The governance updates make change, but I cannot fathom the benefits
of switching the spec license to a reasonably new, unproven and
uncommon license that is neither OSI-approved, nor on the SPDX license
list and not even for consideration there at this stage.

If you have patents concerns, I would rather see these addressed by a
simple DCO signoff and an update of the project contribution policies.
This would put the omen to comply on contributors rather than putting
the burden on the users to have to deal with yet another license.

Additionally, it does not feel right if SPDX contributes to license
proliferation.

--
Cordially
Philippe Ombredanne

+1 650 799 0949 | pombredanne@nexB.com
DejaCode - What's in your code?! - http://www.dejacode.com
ScanCode - The S in SCA stands for ScanCode -
https://github.com/nexB/scancode-toolkit
AboutCode - Open source for open source - https://www.aboutcode.org
nexB Inc. - http://www.nexb.com


SPDX June General Meeting Minutes

Phil Odence
 

We’ve had some new players joining. The minutes log names and companies. I didn’t get everyone’s company and there were a couple of phone numbers displayed; it wasn’t clear if those logged in as well or folks I missed. Please look the list (bottom of the page) over and add or correct. And for future meetings, if possible, log in with your name. THANKS.

 

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-06-03

 

General Meeting/Minutes/2021-06-03

General Meeting‎ | Minutes

·         Attendance: 17

·         Lead by Phil Odence

·         Minutes of May meeting Approved

 

Contents

 [hide

SPDX Governance Review - Phil[edit]

·         Background: About 8 years ago, we put in place a governance structure for SPDX. It was a good effort at the time and has served us, but it’s never really been stressed. Factors are in play today that suggest the need for a legally tighter structure:

·         OMG CISQ 3T joining SPDX

·         ISO direction

·         Executive Order

·         Working with other standards, i.e. SWID and CycloneDX

·         The Linux Foundation has a pre-packaged governance solution for standards bodies, call the Joint Development Foundation, a “consortium in a box,” as they refer to it. It’s a free, fast way to set up a highly configurable legal entity and structure designed for specification development. With support LF attorneys who have been involved in a number of such projects for the LF, the Core Team is exploring this option and it looks like it will suit our needs.

·         There are many ways to configure, and we are going down the path of the simplest possible configuration. Essentially, we can tailor the documents so as to continue to operate as we have. The most significant change would be to change the license for the spec to the Community Specification License. This is a license purpose built for specifications. Like the existing CC license, it grants a broad copyright license to the spec itself. Additionally, requires contributors to grant licenses to any patents that might cover implementations of the spec. This would address user concerns about the possibility that an SPDX contributor seeking to enforce patents that they might hold that cover the spec.

·         This is really to give you a heads up of something coming in the future. The current governance mechanism defines a mechanism and timetable for such a change that involves a formal announcement and a general meeting to try to reach consensus. That clock is not starting now; just want you to be aware that it’s coming.

Tech Team Report - Kate/Gary/Others[edit]

 

·         Tools - Gary

·         Python project is progressing

·         Exec Order will bring with is some funding for cleaning up tooling gaps

·         New project

·         Generating SBOM to work with CI/CD pipelines

·         Written in Go

·         Yocto keen to use

·         NTIA slugfest is upcoming

·         Spec – Kate

·         Work

·         Core:

·         William Bartholomew and others working to show initial serializations, migration issues

·         rough format using Markdown as source of truth

·         GSoC project to translate into schemas

·         Vulnerabilities:

·         Thomas has given initial presentation, gathering feedback, meetings to be called to discuss

·         Usage - Moving forward

·         Licensing – Steve:

·         in process, expect to have updated draft by end of July

·         major open piece is documenting / specifying the license expression model classes

·         Linkage – Nisha experimenting, looking at re: e.g. containers

·         Build – Bob, David Edelsohn

 

·         Sebastian: Meeting times – out of date, time incorrect for General Meeting

·         Sync to a particular time – Eastern US or UTC?

·         and just list that time on the wiki, with link to a time/date converter

·         Steve to sync with Phil to confirm on regular invite time

Legal Team Report - Jilayne/Paul/Steve[edit]

 

·         3.13 released in May

·         issue with version numbers for tagged releases

·         thank you to Gary for helping address this while on vacation

·         3.14 in process now, to be released end of July

 

Outreach Team Report - Kate[edit]

 

·         Next meeting June 7

·         Calendar invite at https://lists.spdx.org/g/Spdx-tech/message/4059

·         use this and not old info on the wiki

Other Topics[edit]

 

·         IRC channel for SPDX – Sebastian / Philippe

·         One channel on Freenode, another on OFTC; libera.chat also existing

·         Switching to libera.chat

·         Sebastian to register and share with general list

·         GSoC students also tend to use gitter.im (also accessible via IRC / Matrix)

·         channel name to be #spdx

·         After registered and shared with general list, will also add to website

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Sebastian Crane

·         Steve Winslow, LF

·         Kate Stewart, Linux Foundation

·         William Cox, Synopsys

·         Marc Etienne Vargenau, Nokia

·         Mikihito Matsuura, Tokyo University

·         Bob Martin, Mitre

·         Philippe Emmanuel Douziech, CAST

·         Joshua Marpet, MGM Growth

·         Tiberius Hefflin, Intel

·         Jilayne Lovejoy, Red Hat

·         Warner Lost,

·         Aveek Basu, NextMark Printers

·         Sharon Burke,

·         Gary O’Neall, SourceAuditor

 

·          

·          

·          

·          

·          

·          

·          

·          

 


SPDX General Meeting

Phil Odence
 

Please accept this recurring invitation

 

 “Dial In” info:

 

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers: 
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio: 
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Standard Agenda:

 

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-05-06

 

SPDX Governance Evolution – Phil/Steve

 

Technical Team Report – Kate/Gary/Others

  Tooling Update  - Gary

  Specification and Profiles 

  • Core - William
  • Legal - Steve
  • Vulnerabilities - Thomas
  • LInkage - Nisha
  • Usage and Other Emerging Profiles - Kate

 

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack 

 


Canceled: SPDX General Meeting

Phil Odence
 

I will be sending out a replacement invite in a few hours. Please clear your calendar. Thanks, Phil


Thursday's SPDX General Meeting reminder

Phil Odence
 

Because we are moving to Jitsi for video conferencing and try to avoid confusion, I will delete the old invite, wait a few hours and then send out a new one with the new information.

 

To start the meeting, Steve and I will share some early thoughts about evolving the group’s legal structure in the face of the rising importance of SBOMs in general and SPDX specifically to many organizations. Expect this to be a preview and evolutionary, not revolutionary.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, June 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare is changing 

 

Administrative Agenda

Attendance

Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2021-05-06

 

SPDX Governance Evolution – Phil/Steve

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack 

  

 

 

 


Re: SBOM's going mainstream - Biden Cybersecurity EO

Phil Odence
 

I’m sure most of you are aware of the executive order by now. The draws attention to SPDX and the LF is keen to show the project in its best light. As such we are adding a page to the website to display logos of companies whose employees participate. Consider this a heads up; we’d love to get your company’s logo up. Instructions will be forthcoming on how to submit.

 

From: spdx@... <spdx@...> on behalf of Sebastian <seabass-labrax@...>
Date: Tuesday, May 18, 2021 at 1:57 PM
To: spdx@... <spdx@...>
Subject: Re: [spdx] SBOM's going mainstream - Biden Cybersecurity EO

Dear all,

During today's SPDX Technical Team meeting, the US Government's recent
Executive Order was a major point of discussion! Kate Stewart shared a
link to a blog post from the Linux Foundation regarding the news:

https://urldefense.com/v3/__https://linuxfoundation.org/en/blog/how-lf-communities-enable-security-measures-required-by-the-us-executive-order-on-cybersecurity/__;!!A4F2R9G_pg!P49KwL8ZQvN9ngQGdyp9LeHwUOLk_4PKkHwz_zn50tJpvNlsdEIH8qN-aSLELDgf6H8$

There is lots of useful background information and explanation in the
article which I imagine would be of interest to members of this list.

Best wishes,

Sebastian





Re: SBOM's going mainstream - Biden Cybersecurity EO

Sebastian Crane
 

Dear all,

During today's SPDX Technical Team meeting, the US Government's recent
Executive Order was a major point of discussion! Kate Stewart shared a
link to a blog post from the Linux Foundation regarding the news:

https://linuxfoundation.org/en/blog/how-lf-communities-enable-security-measures-required-by-the-us-executive-order-on-cybersecurity/

There is lots of useful background information and explanation in the
article which I imagine would be of interest to members of this list.

Best wishes,

Sebastian


Re: [EXTERNAL] Re: [spdx] SBOM's going mainstream - Biden Cybersecurity EO

Gene Vallow
 

You’re very welcome.  Thanks for all you do!  :-)

 

We LOVE that place!  Can’t wait to start going again!  So yes, may see us there! 

 

From: <spdx@...> on behalf of Steve Winslow <swinslow@...>
Reply-To: "spdx@..." <spdx@...>
Date: Friday, May 14, 2021 at 2:16 PM
To: "spdx@..." <spdx@...>
Subject: [EXTERNAL] Re: [spdx] SBOM's going mainstream - Biden Cybersecurity EO

 

For those interested -- as a follow-up to Kate's message about the EO, here is an article in ZDNet that mentions several aspects of SPDX and how it addresses objectives of the EO:

 

 

Steve

 

On Thu, May 13, 2021 at 1:36 PM Kate Stewart <kstewart@...> wrote:

Last night Biden signed Executive Order (EO) on Improving the Nation’s Cybersecurity.

As part of this Executive order the concept of SBOM is getting widespread visibility.



If the question comes up please help reinforce that SPDX is a valid recognized SBOM format.

NTIA has recognized 3 SBOM formats able to satisfy the minimum viable requirement for an SBOM, and SPDX is one of them. Current details are available from the last NTIA formats and tooling quarterly checkpoint last month. Also, last month NTIA hosted a plugfest, and all but one, tool was able to create an SPDX SBOM.



The NTIA community has been key to getting SBOM in this EO.  Some of you will remember Allan Friedman from NTIA's presentation to our group last year, as well as Ed Heierman from the HealthCare PoC on what they found using SPDX, so it's very exciting to see this emerge.



Thanks,

Kate



 

 



--

Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: SBOM's going mainstream - Biden Cybersecurity EO

Steve Winslow
 

For those interested -- as a follow-up to Kate's message about the EO, here is an article in ZDNet that mentions several aspects of SPDX and how it addresses objectives of the EO:


Steve

On Thu, May 13, 2021 at 1:36 PM Kate Stewart <kstewart@...> wrote:
Last night Biden signed Executive Order (EO) on Improving the Nation’s Cybersecurity.
As part of this Executive order the concept of SBOM is getting widespread visibility.

If the question comes up please help reinforce that SPDX is a valid recognized SBOM format.
NTIA has recognized 3 SBOM formats able to satisfy the minimum viable requirement for an SBOM, and SPDX is one of them. Current details are available from the last NTIA formats and tooling quarterly checkpoint last month. Also, last month NTIA hosted a plugfest, and all but one, tool was able to create an SPDX SBOM.

The NTIA community has been key to getting SBOM in this EO.  Some of you will remember Allan Friedman from NTIA's presentation to our group last year, as well as Ed Heierman from the HealthCare PoC on what they found using SPDX, so it's very exciting to see this emerge.

Thanks,
Kate





--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation


SBOM's going mainstream - Biden Cybersecurity EO

Kate Stewart
 

Last night Biden signed Executive Order (EO) on Improving the Nation’s Cybersecurity.
As part of this Executive order the concept of SBOM is getting widespread visibility.

If the question comes up please help reinforce that SPDX is a valid recognized SBOM format.
NTIA has recognized 3 SBOM formats able to satisfy the minimum viable requirement for an SBOM, and SPDX is one of them. Current details are available from the last NTIA formats and tooling quarterly checkpoint last month. Also, last month NTIA hosted a plugfest, and all but one, tool was able to create an SPDX SBOM.

The NTIA community has been key to getting SBOM in this EO.  Some of you will remember Allan Friedman from NTIA's presentation to our group last year, as well as Ed Heierman from the HealthCare PoC on what they found using SPDX, so it's very exciting to see this emerge.

Thanks,
Kate




SPDX May General Meeting Minutes

Phil Odence
 

https://wiki.spdx.org/view/General_Meeting/Minutes/2021-05-06

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_2000046778   signature_745472613   signature_1521357274   signature_577595742

 

General Meeting/Minutes/2021-05-06

General Meeting‎ | Minutes

·         Attendance: 18

·         Lead by Phil Odence

·         Minutes of Apri meeting Approved

·         Plan was to switch to Zoom

·         Considering using Jitsu

 

Contents

 [hide

SPDX License Name Space at Amazon - Mark[edit]

·         https://docs.google.com/presentation/d/1uCAJW79hzqLAPhXfAn4maCRk9TZUhLJDAPEOBlgUFTw/edit?usp=sharing

 

Tech Team Report - Kate/Gary/Others[edit]

 

·         Spec – Kate

·         Specification conversations continuing to move forward

·         Rough template for categories of topics (what were previously being called “profiles”)

·         Core Model - Gary

·         No Update

·         Licensing

·         filed PR with initial draft for discussion of template format, etc.; will update to newer template; previously discussed much of its substance last year

·         Integrity – Kay

·         working with in-toto community, framework for end-to-end supply chain security; collaborating with them to see if the specs can be aligned

·         Defects / Security – Thomas not here today

·         pushed first draft of fields for (1) vulnerabilities, and (2) defects => impact on packages, false positives, etc.

·         https://github.com/spdx/spdx-spec/pull/510

·         Meetings next week to look at other security specs, their use cases, whether they can / how they should be incorporated

·         Linking – Nisha not here today

·         Kate discussing with Nisha / Rose

·         Usage – Yoshiyuki Ito

·         No update

·         Pedigree / Build / Creation – Kate

·         No Update

·         GSoC- Alexios

·         Got 5 slots; can run up to 5 projects

·         Likely to accept 5 proposals:

·         2 for improving Golang tooling libraries (one RDF writing, one JSON reading/writing)

·         1 for transitioning / updating online SPDX tools

·         1 for spec processing tools

·         1 for improved license matcher, taking matching guidelines into account (unplanned submission)

 

Legal Team Report - Jilayne/Paul/Steve[edit]

 

·         Working for 3.13, planning to push out over the weekend

·         Have been trying to clean up old issues

·         Some updates on documentation in the repo

·         New participants recently – some discussions on recent calls have included reviewing past history; may want to put together more historical documentation of past context, etc.

·         Some interest from Debian – interest in getting a Debian-free tickbox into the license list

·         License submissions – starting to take a harder line on participation from people submitting license requests without sticking with them. For this release, started asking people to create the PR’s themselves – a few of the submitters at least responded and indicated they would do so

·         Still relying on the calls too much; having people commenting in issues out-of-band would be very helpful

 

Outreach Team Report - Kate[edit]

 

·         Continuing to see interest in SPDX across different communities

·         Zephyr – auto-generation

·         Possible interest in re-starting Outreach team meetings – Sebastian interest, Aveek also

·         Kate will reach out to Jack and either ask him to restart or else Kate will restart

 

Other Topics[edit]

 

·         Sebastian – interest in Arch Linux in using SPDX

·         Some work being done on the Arch packaging system, interest in using SPDX licenses

·         Jitsi

·         Jilayne - Jitsi – this has gone well, plan to update to this for future General calls

·         Legal and Tech teams can update if/when they choose

·         Europe, UK, etc. seems to be working

·         Bob – recommend putting passwords on it

·         Steve – discuss whether to put one on. Possible but appears to prevent dial-ins afterwards.

·         Steve will look into options

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Mark Atwood, Amazon

·         Matthew Crawford, ARM

·         Bob Martin, Mitre

·         Philippe Emmanuel Douziech, CAST

·         Jilayne Lovejoy, Red Hat

·         Maximilian Huber, TNG

·         Alexios Zavras, Intel

·         Kay Williams, Microsoft

·         David Edelsohn, IBM

·         Thomas Steenbergen, HERE

·         Jeff Schutt, Cisco

·         Kate Stewart, Linux Foundation

·         Michael Herzog- nexB

·         Sebastian Crane

·         Steve Winslow, LF

·         Marc Etienne Vargenau, Nokia

·         Jonas Smedegaard, self

 


Re: Thursday SPDX General Meeting Reminder - Special Presentation and NEW CONF BRIDGE INFO

J Lovejoy
 

On 5/5/21 10:45 AM, Jonas Smedegaard wrote:
Quoting Phil Odence via lists.spdx.org (2021-05-05 14:47:03)
You may be aware that based on SPDX community input we decided to move away from Uberconference. Initially the thought was to move to Zoom, but we are trying an open source alternative, Jitsi. Assuming it works for us, we�ll make the permanent move, and I will update the calendar invite accordingly.

For now, use this information for the Thursday Meeting:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw224M4IF9lZQ--a36gO3Lwh__;JSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BGCiD_0k$>
Great to hear that meetings now use Open standards and Free software!

Could you please share only the room name, stripped from the URI?

I.e. the string from the URI which begins with "SPDXGeneralMeeting"...


It seems your email software and/or the mailinglist software gets upset 
by some characters in the meeting string and mangles the URI...


 - Jonas



Re: Thursday SPDX General Meeting Reminder - Special Presentation and NEW CONF BRIDGE INFO

Jonas Smedegaard
 

Quoting Phil Odence via lists.spdx.org (2021-05-05 14:47:03)
You may be aware that based on SPDX community input we decided to move away from Uberconference. Initially the thought was to move to Zoom, but we are trying an open source alternative, Jitsi. Assuming it works for us, we�ll make the permanent move, and I will update the calendar invite accordingly.

For now, use this information for the Thursday Meeting:

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting<https://urldefense.com/v3/__https:/www.google.com/url?q=https*3A*2F*2Fmeet.jit.si*2FSPDXGeneralMeeting&sa=D&ust=1619537013292000&usg=AOvVaw224M4IF9lZQ--a36gO3Lwh__;JSUlJQ!!A4F2R9G_pg!I3GFzBfRfUyGZhkyTIdNNgY2TQsTIZL85F0ubPgWSv4TkuBYAzJmtyCci41BGCiD_0k$>
Great to hear that meetings now use Open standards and Free software!

Could you please share only the room name, stripped from the URI?

I.e. the string from the URI which begins with "SPDXGeneralMeeting"...


It seems your email software and/or the mailinglist software gets upset
by some characters in the meeting string and mangles the URI...


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private


Re: Jitsi video calling for the General Meeting tomorrow

Sebastian Crane
 

Dear all,

We now have set up our own Jitsi - thanks to Steve W! Steve tested it
with a few SPDXers in various time zones and it seemed to work
fine. We will use it for the next General Meeting, this Thursday.
It's great to hear that everything went fine in the test run :) I'll be
looking forward to tomorrow's meeting; indeed, mention of Mark Atwood's
talk has certainly piqued my interest!

As to Sebastian's query regarding using Sourcehut (instead of Github)
and a rebuild of the website using that/a different tool. I think
there is going to be very little appetite for that! It took a long
time to fully move over to Github as it was! Any change of this type
involves a fair amount of work and disruption to the normal flow of
things. We certainly have enough going on right now to not add more to
the plate!
Jilayne, too true, infrastructure migration is never easy; that said,
I'm always happy to look into any self-hosted server applications should
that appetite emerge in the future! :)

Best wishes,

Sebastian


Thursday SPDX General Meeting Reminder - Special Presentation and NEW CONF BRIDGE INFO

Phil Odence
 

You may be aware that based on SPDX community input we decided to move away from Uberconference. Initially the thought was to move to Zoom, but we are trying an open source alternative, Jitsi. Assuming it works for us, we’ll make the permanent move, and I will update the calendar invite accordingly.

 

For now, use this information for the Thursday Meeting:

 

Join the meeting:
https://meet.jit.si/SPDXGeneralMeeting

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers:
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio:
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

Our own Mark Atwood will be giving a talk this month about work he initiated to create local namespaces for licenses:

“A proposal for a DNS based SPDX tag.   Why Amazon uses LicenseRef-.com.amazon.-AmzSL-1.0”.

 

GENERAL MEETING

 

Meeting Time: Thurs, April 1, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approva https://wiki.spdx.org/view/General_Meeting/Minutes/2021-04-01

 

Special Presentation – Mark

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles

 

Technical Team Report – Kate/Gary/Others

  • Specification and Profiles
    • Overview
    • Core
    • Legal
    • Integrity
    • Defects
    • Usage and Other Emerging
  • Tooling

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach/Website Team Report – Jack

  

 

 


Re: Jitsi video calling for the General Meeting tomorrow

Steve Winslow
 

Thanks Jilayne!

One tweak, just to clarify -- I haven't set up a separate Jitsi instance, the invite Phil will be sharing is instead for a Jitsi meeting on the standard free meet.jit.si service hosted by 8x8. Their site indicates that they support up to 100 participants, which should be sufficient for the General Meeting. As Jilayne noted, we'll try it out and see how it works for the meeting and for others going forward.

Best,
Steve


On Tue, May 4, 2021 at 4:31 PM J Lovejoy <opensource@...> wrote:
Hi all,

Following up with an update on this!

First of all, big thanks to Sebastian for taking the bull by the horns and not just asking, but doing; and to Karen for offering the SFC's BBB platform.

We now have set up our own Jitsi - thanks to Steve W! Steve tested it with a few SPDXers in various time zones and it seemed to work fine. We will use it for the next General Meeting, this Thursday. Phil will send the link and dial-in info in his meeting reminder. Assuming there are no problems or major complaints, we will use it going forward for the General Meeting and Phil will send an updated invite at that point.

As to Sebastian's query regarding using Sourcehut (instead of Github) and a rebuild of the website using that/a different tool. I think there is going to be very little appetite for that! It took a long time to fully move over to Github as it was! Any change of this type involves a fair amount of work and disruption to the normal flow of things. We certainly have enough going on right now to not add more to the plate!

Thanks,

Jilayne
SPDX legal team co-lead

On 4/14/21 6:31 AM, Sebastian wrote:
Dear Steve,

I'm pleased to be able to confirm that we are arranging for the LF to
cover the cost of 8x8's Jitsi hosting for SPDX meetings. I'm getting
this set up and will aim to have it in place shortly ...
That is great to hear! With the commercial Jitsi hosting that you have
arranged and the Software Freedom Conservancy's BigBlueButton as a
contingency platform, we should be very well set up for conferencing.

Many thanks to all of you for your feedback and comments on this
topic.  Sebastian, thank you especially for investigating this and for
your efforts looking into Jitsi hosting.
Clearly I shall need to contact Fosshost to withdraw from their Jitsi
hosting offer. However, given that Fosshost have accepted SPDX as a
beneficiary of their services, I'd like to propose that we take this
opportunity to adopt Sourcehut for collaboration.

Sourcehut is a suite of free and open source tools that I've been keenly
following the development of and using for my personal projects. It's
capabilities include Git repositories, mailing lists, issue tracking,
static site hosting and even a full CI/CD pipeline. These are all
modular; they can be used independently or together at will.

Compared to GitHub, Groups.io and other platforms that we are currently
using, Sourcehut would grant us more autonomy. I believe it would be of
enormous value to many potential contributors to SPDX: sending patches
and issues does not require using proprietary software, and in many
cases doesn't even require an account - Sourcehut is based around email!
It is also much better in accessibility than the alternatives.

I've done some research into the installation and also got in touch with
a friend who self-hosted Sourcehut last year; it seems like something I
would be able to run myself or with others of the SPDX Tech team. Indeed
the Sourcehut monthly meeting is this Friday, so any interested members
of this list could take the opportunity to query the platform's creator
himself!

We needn't move off our existing software in a hurry. Given Sourcehut's
architecture this could happen in stages. A rebuild of spdx.dev as a
static side (briefly discussed in the last General Meeting) seems like a
perfect first step.

How about I reply to Fosshost to see if they are happy to exchange the
offer of video conferencing hosting to a VPS for evaluating Sourcehut?

Quite a lot to think about, I know! As always I'm always happy to try
and answer any questions here or on IRC/Gitter.

Best wishes,

Sebastian








--
Steve Winslow
VP, Compliance and Legal
The Linux Foundation


Re: Jitsi video calling for the General Meeting tomorrow

J Lovejoy
 

Hi all,

Following up with an update on this!

First of all, big thanks to Sebastian for taking the bull by the horns and not just asking, but doing; and to Karen for offering the SFC's BBB platform.

We now have set up our own Jitsi - thanks to Steve W! Steve tested it with a few SPDXers in various time zones and it seemed to work fine. We will use it for the next General Meeting, this Thursday. Phil will send the link and dial-in info in his meeting reminder. Assuming there are no problems or major complaints, we will use it going forward for the General Meeting and Phil will send an updated invite at that point.

As to Sebastian's query regarding using Sourcehut (instead of Github) and a rebuild of the website using that/a different tool. I think there is going to be very little appetite for that! It took a long time to fully move over to Github as it was! Any change of this type involves a fair amount of work and disruption to the normal flow of things. We certainly have enough going on right now to not add more to the plate!

Thanks,

Jilayne
SPDX legal team co-lead

On 4/14/21 6:31 AM, Sebastian wrote:
Dear Steve,

I'm pleased to be able to confirm that we are arranging for the LF to
cover the cost of 8x8's Jitsi hosting for SPDX meetings. I'm getting
this set up and will aim to have it in place shortly ...
That is great to hear! With the commercial Jitsi hosting that you have
arranged and the Software Freedom Conservancy's BigBlueButton as a
contingency platform, we should be very well set up for conferencing.

Many thanks to all of you for your feedback and comments on this
topic.  Sebastian, thank you especially for investigating this and for
your efforts looking into Jitsi hosting.
Clearly I shall need to contact Fosshost to withdraw from their Jitsi
hosting offer. However, given that Fosshost have accepted SPDX as a
beneficiary of their services, I'd like to propose that we take this
opportunity to adopt Sourcehut for collaboration.

Sourcehut is a suite of free and open source tools that I've been keenly
following the development of and using for my personal projects. It's
capabilities include Git repositories, mailing lists, issue tracking,
static site hosting and even a full CI/CD pipeline. These are all
modular; they can be used independently or together at will.

Compared to GitHub, Groups.io and other platforms that we are currently
using, Sourcehut would grant us more autonomy. I believe it would be of
enormous value to many potential contributors to SPDX: sending patches
and issues does not require using proprietary software, and in many
cases doesn't even require an account - Sourcehut is based around email!
It is also much better in accessibility than the alternatives.

I've done some research into the installation and also got in touch with
a friend who self-hosted Sourcehut last year; it seems like something I
would be able to run myself or with others of the SPDX Tech team. Indeed
the Sourcehut monthly meeting is this Friday, so any interested members
of this list could take the opportunity to query the platform's creator
himself!

We needn't move off our existing software in a hurry. Given Sourcehut's
architecture this could happen in stages. A rebuild of spdx.dev as a
static side (briefly discussed in the last General Meeting) seems like a
perfect first step.

How about I reply to Fosshost to see if they are happy to exchange the
offer of video conferencing hosting to a VPS for evaluating Sourcehut?

Quite a lot to think about, I know! As always I'm always happy to try
and answer any questions here or on IRC/Gitter.

Best wishes,

Sebastian






81 - 100 of 1495