LinuxCon schedule posted
Lamons, Scott (Open Source Program Office) <scott.lamons@...>
http://events.linuxfoundation.org/events/linuxcon-north-america/program/schedule
Samsung is presenting a talk on SPDX Monday morning…
-Scott
|
|
A little more on Fantec
Philip Odence
I've posted a couple of items about the Fantec case to the SPDX legal list. Adding this one and including all, because it's authored by Mark Radcliffe (counsel to OSI) and because Mark puts in nice plug for SPDX.
http://osdelivers.blackducksoftware.com/2013/07/12/fantec-critical-lessons-for-foss-compliance/
|
|
IDs for Sun Industry Standards Source License
Camille Moulin <camille.moulin@...>
Hi all,
I'm comparing SPDX and Fossology's licenses IDs and encountered a little difficulty regarding the Sun Industry Standards Source License. The SPDX id for the version 1.1 of the license is just "SISSL", while Fossology's is "SISSL-1.1". At first glance, it seems that Fossology's choice is more consistent with SPDX's naming scheme, and I don't see the benefits of removing the version number. It also seems that there is a 1.2 version of this license (http://gridscheduler.sourceforge.net/Gridengine_SISSL_license.html ). So, would adding the version number to the ID be desirable / possible ? Best, Camille -- Gouvernance Open Source - Alter Way www.alterway.fr
|
|
SPDX General Meeting Minutes Correction
Philip Odence
Thanks to my friend Bruno Grasset for pointing out an error in my previous memo.
I had overwritten the May 2 minutes with the content of the July 3 minutes. The link I provided was to the correct content, but with the wrong title. Thanks to the Wiki's revisioning capability, I was able to retrieve the May 2 minutes as well as to properly
create the July 3 minutes:
Sorry for any confusion this may have caused.
|
|
Minutes from July 3 SPDX General Meeting
Philip Odence
|
|
towards a new version of ninka.
dmg
hi everybody,
if you use ninka, this might be useful to you. With the help of Armijn i have been cleaning up some regressions and improved some licenses. The new code is now in the github repo: http://github.com/dmgerman/ninka - Renamed InterACPILic to IntelACPILic - Renamed openSSLvar2 to Apachev1.0 - Split QtorGPLv2orv3exception to QtorGPLv2orv3 from the exception - Better detection fo GPL lcienses - BSD and MIT spdx licenses detected (prefixed with spdx ie. spdxBSD3) - Added a bunch of licenses... unless I find some major problems, I will release a new version in few days. --dmg -- Daniel M. German "There is the greatest difference between presuming an opinion to be true, because, with every opportunity for contesting it, it has not been refuted, and assuming its truth for the purpose John Stuart Mill -> of not permitting its refutation. " http://turingmachine.org/ http://silvernegative.com/ dmg (at) uvic (dot) ca replace (at) with @ and (dot) with .
|
|
SPDX General Meeting Reminder - Wednesday, July 3
Philip Odence
Recognizing that Thursday is a holiday in the US, we will run the meeting at the normal time, but on Wednesday.
NOTE: In as part of the business team report, Phil will do a quick review of the survey results. In advance of the meeting,
download the docs at the bottom of this page:
Meeting Time: Wednesday, July 3, 8am PST / 10 am CST / 11am EST / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Conf call dial-in: Conference code: 7812589502 Toll-free dial-in number (U.S. and Canada): (877) 435-0230 International dial-in number: (253) 336-6732 For those dialing in from other regions, a list of toll free numbers can be found: https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF Administrative Agenda
Attendance
Approve Minutes-
Technical Team Report - Kate
Legal Team Report - Jilayne
Business Team Report – Jack/Scott
Phil will review quickly results of survey
Cross Functional Issues –
Phil
Website Update – Jack
|
|
SPDX General Meeting
Philip Odence
When: Wednesday, July 03, 2013 11:00 AM-12:00 PM. (UTC-05:00) Eastern Time (US & Canada) Where: Bridge info enclosed *~*~*~*~*~*~*~*~*~* As the 4th is a holiday in the US, will do the call on July 3, same time. Hope everyone can make it.
Please accept so this recurring meeting is on your calendar, however no need to respond.
DIAL IN:
Toll-free dial-in number (U.S. and Canada): (877) 435-0230
International dial-in number: (253) 336-6732 Conference code: 7812589502
MEETING MINUTES FOR REVIEW: http://spdx.org/wiki/meeting-minutes-and-decisions
|
|
SPDX General Meeting Thursday
Philip Odence
NOTE:
In as part of the business team report, Phil will do a quick review of the survey results. In advance of the meeting, download the docs at the bottom of this page:
Meeting Time: Thursday, June 6, 8am PST / 10 am CST / 11am EST / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Conf call dial-in: Conference code: 7812589502 Toll-free dial-in number (U.S. and Canada): (877) 435-0230 International dial-in number: (253) 336-6732 For those dialing in from other regions, a list of toll free numbers can be found: https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF Administrative Agenda
Attendance
Approve Minutes-
Technical Team Report - Kate
Legal Team Report - Jilayne
Business Team Report – Jack/Scott
Phil will review results of survey
Cross Functional Issues –
Phil
Website Update – Jack
|
|
Re: Software unique identification
Roger Meier <roger@...>
Hi Michel
toggle quoted messageShow quoted text
I think the "Official Common Platform Enumeration (CPE) Dictionary" http://nvd.nist.gov/cpe.cfm is a good starting point for this topic. another source to consider is ISO/IEC 19770 all the best! -roger ;-r Quoting "RUFFIN, MICHEL (MICHEL)" <michel.ruffin@...>:
Dear all we are facing a very difficult issue: How to identify uniquely Software.
|
|
Re: Software unique identification
Armijn Hemel - Tjaldur Software Governance Solutions <armijn@...>
hi,
I am currently a senior systems engineer at Nokia, and I can sayThis is not my experience at all. In the Binary Analysis Tool I use fingerprinting using string constants, function names, variable names, and so on, and I can reliably tell versions of binaries apart (granted: the information has to be in my database). This is absolutely no problem at all. armijn -- Armijn Hemel, MSc Tjaldur Software Governance Solutions
|
|
Re: Software unique identification
William Boyle
I am currently a senior systems engineer at Nokia, and I can say
without reservation that we face this problem also, identifying specific versions of software (binaries as well as sources). Binaries can change, even if the source does not, if for example the compiler is updated, or associated libraries. This is especially problematic when the libraries are (as is often the case) dynamically-linked shared libraries. Bill Boyle Senior Systems Engineer, Nokia Mobile Phones, Itasca, Illinois On Mon, May 13, 2013 at 9:56 AM, RUFFIN, MICHEL (MICHEL) <michel.ruffin@...> wrote: Dear all we are facing a very difficult issue: How to identify uniquely
|
|
Software unique identification
RUFFIN MICHEL
Dear all we are facing a very difficult issue: How to identify uniquely Software.
In Alcatel-Lucent (ALU) we would like to link all our databases on SW (FOSS SW, proprietary SW, FOSS SW coming in proprietary solutions, FOSS coming from outsourcing contracts, …) The goal is to automate a lot of things: royalty tracking, producing documentations
on FOSS respecting the license obligations automatically, knowing which ALU product is using what SW, automatically connecting with tools such as Blackduck protex or Palamida or any others of their competitors, …………………………………………….
The major issue is SW unique identification: Today we have the following:
I know that SPDX is not perhaps the best place to discuss this issue, but I would like to engage a discussion on this topic
So my question here is: do you have similar concerns in your companies, and what can we do to solve this issue (should we create a group on this?)
Michel
Michel.Ruffin@..., PhD
Software Coordination Manager, N&P IS/IT Distinguished Member of Technical Staff Tel +33 (0) 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceaux Route De Villejust, 91620 Nozay, France
|
|
Minutes from May 2 Meeting
Philip Odence
The survey is still open. If you haven't responded, please do: www.spdx.org/survey
|
|
SPDX General Meeting Reminder and Collab Summit Summary
Philip Odence
Announcements
Summary of very successful Collaboration Summit (also appended at the bottom)
HELP WITH THE SURVEY (please please please)
Meeting Time: Thursday, May 2, 8am PST / 10 am CST / 11am EST / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Conf call dial-in: Conference code: 7812589502 Toll-free dial-in number (U.S. and Canada): (877) 435-0230 International dial-in number: (253) 336-6732 For those dialing in from other regions, a list of toll free numbers can be found: https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF Administrative Agenda
Attendance
Approve Minutes-
Technical Team Report - Kate
Next steps
Legal Team Report - Jilayne
Next steps
Business Team Report – Jack/Scott
Next steps
Cross Functional Issues –
Phil
Website Update – Jack
COLLABORATION SUMMIT SUMMARY
For those of you who didn’t make it to the Collaboration Summit, below is a summary of the different components of the event. It was pretty inspiring in a number of ways…for me, it felt like the
rubber is finally meeting the road seeing real tools—our own, from academia, and commercial—putting out real live SPDX docs. The every positive KarenC summed it up as “The discussions have much more of a feeling that this has to happen – the only questions
are around how.” And I agree.
All the team leads did an outstanding job organizing our ever expanding involvement in Linux event. (Now we even get our own track.) Gary, MarkG and Adam were also key in pulling this off.
Tech Team Working Session
In this session we went through the current model proposal for 2.0, and discussed options that would simplify the model, and still meet the use cases we're targeting. We were also able to start
off the relationship and element usage enumerations. Full details can be found at: http://wiki.spdx.org/view/Technical_Team/Minutes/2013-04-16.
Legal Team Working Session
The SPDX Legal Team met at the LF Collab Summit to hash out the remaining bits of the License Matching guidelines. Namely whether SPDX should provide "guidelines only" in regards to what is to be
considered substantive text of a license for matching purposes or whether SPDX should go further and provide some kind of actual markup or examples in regards to text than can be ignored or considered "replaceable" for matching purposes. And, if the latter,
to what extent and in what format to provide such markup or examples. The legal team, with good representation from various tool makers and tech team members, decided that markup was needed to avoid potential differences in interpretation by tool makers.
It was decided to use simple markup that could be illustrated within a .txt file, as that is the (mostly) preferred download format for the licenses. The exact details of the markup are being worked out and the Legal Team (with help from anyone else in the
SPDX Workgroup) will manage getting the markup created for the entire current SPDX License List.
Open SPDX Discussion
Mark Gisi from Windriver and Adam Cohn from Cisco held this session on Tuesday afternoon. It was held under Chatham House Rules which means “When a meeting, or part thereof, is held under the Chatham
House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.”. Now before you say hey you just said you weren’t supposed to mention names,
these two were the chairs as listed on the SPDX schedule.There was a lot of good discussion. One individual talked about how they are fully integrating SPDX into what they their company delivers and how they are shipping, and I believe the number was, over
500 SPDX documents with each release. They also had a website for generating SPDX documents. Others talked about how they have started to integrate SPDX into their compliance process using it for reviews but not yet quite shipping. The reasons seemed to vary
for that but they appeared to be more procedural than SPDX related. One individual did raise a concern on the amount of time that it might take to generate SPDX documents adding that it increased the cost of their compliance it was not something they could
do. A few individuals talked about the adoption of SPDX among open source projects. There was some discussion on how this could be done now as there are a few open source tools that have appeared to generate SPDX documents. One individual talked about how
they would like to see SPDX become more fully integrated into the community meaning that practices normally associated with an open source project such as peer review and so forth were used and considered part of the process of generating, reviewing and editing
SPDX documents.
SPDX Morning Sessions
Mark Gisi (the man that Scott calls “the spiritual leader of SPDX adoption”) kicked off the morning with License to Kill…You Code, a very cogent treatise on why it’s important for copyright holders
to get it right if they want their projects to thrive.
Then Gary “the Toolman” O’Neall lead a panel on Tooling up for SPDX. He gave an over view of group, community and commercial tools that are now compatible with SPDX. Gary was joined by Matt Germonprez
of the University of Nebraska Omaha and Sameer Ahmed from Wind River Systems who both talked in some detail about work their groups have done to “tool up.”
Conclusion: This stuff is real! And to prove it…
SPDX Bakeoff
The SPDX Bakeoff was held Wednesday afternoon. Our main objective was to compare SPDX output from different tools in order to identify bugs and resolve different interpretations of the specification.
We had great representation from the various tool providers, members of the SPDX working group, and a number of other interested parties. Gary O’Neall’s excellent spreadsheet comparison tool was used as the basis for comparison of the various SPDX files. Per
the agenda, we first stepped through the complete Time package on a file by file basis. Following that we dove into Busybox but only at the package level. There was a lot good discussion and yes we did find some bugs in the tools and areas where the specification
needs to be improved. All in all it was a very productive session and should serve to advance the adoption of SPDX. The spreadsheet along with notes from the session are captured on in this Google doc folder: https://drive.google.com/?tab=mo&authuser=0#folders/0BxKdX878M2HCTlZIbkZSMXN6SGc
|
|
SPDX Website and Survey
Philip Odence
Here's some great news about the website and a request for your help with the SPDX survey.
WEBSITE
I am pleased to tell you that http://spdx.org/ has been upgraded with a new, superior underlying platform as well as new architecture/look & feel. It should take you about 2 seconds to notice the improvement. The biggest
conceptual change is the we have separated the main site from the wiki and upgraded the wiki as well. Now the main site is mainly for purposes of learning and consumption and the wiki is our working area.
Jack Manbeck deserves a ton of credit for driving this change and herding the cats needed to make it happen before the Collaboration Summit. (He's accepting beers in SF next week.) Other worthy beer recipients are Brian Warner from the Linux Foundation
and Martin Michlmayr who seamlessly migrated the wiki. Jilayne, Scott, Kate and Gary also participated in the heavy lifting, and credit goes to Ibrahim Haddad for originally convincing us to accept the Foundation's generous offer to help with the site.
SURVEY
A key part of the business team's agenda is to make sure we systematically collect and utilize industry feedback on an ongoing basis. The first step in that is a survey to help better understand current awareness and adoption of SPDX and to get some insight
future plans and what we can do to shape that future. http://www.spdx.org/survey
We will be promoting the survey at the Collaboration Summit. Here is how you can help drive further participation:
Thanks,
Phil
L. Philip Odence
Vice President of Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence
|
|
Re: Wiki migration: feedback required
Lamons, Scott (Open Source Program Office) <scott.lamons@...>
New wiki looks great.
Scott: ++1 The LF hasn't installed a WYSIWYG editor yet but we can request it ifthere's a need. Jack: I'm thinking we should request one. Media wiki syntax while not difficult may seem bizarre to some people? Scott: yes!
|
|
Re: Wiki migrated to MediaWiki
Martin Michlmayr
* Marc-Etienne Vargenau <Marc-Etienne.Vargenau@...> [2013-04-11 15:48]:
The e-mail address wiki@... given in pageYeah, I know. I also sent a request to the LF. You can email me directly in the meantime. -- Martin Michlmayr Open Source Program Office, Hewlett-Packard
|
|
Re: Wiki migrated to MediaWiki
Marc-Etienne Vargenau
Le 11/04/2013 12:58, Martin Michlmayr a écrit :
The wiki has been migrated to a proper wiki using MediaWiki. AllHello, The e-mail address wiki@... given in page http://wiki.spdx.org/view/Getting_started to request an account does not seem to work. Best regards, Marc-Etienne -- Marc-Etienne Vargenau Marc-Etienne.Vargenau@... Alcatel-Lucent France, Route de Villejust, 91620 NOZAY, FRANCE +33 1 30 77 28 33 OnNet 2103 2833
|
|
Re: Wiki migrated to MediaWiki
Manbeck, Jack
I glossed over the Getting Started link. Would it make sense to display it as "Getting Started Using this Wiki"?
toggle quoted messageShow quoted text
Jack
-----Original Message-----
From: spdx-bounces@... [mailto:spdx-bounces@...] On Behalf Of Martin Michlmayr Sent: Thursday, April 11, 2013 6:59 AM To: spdx@... Subject: Wiki migrated to MediaWiki The wiki has been migrated to a proper wiki using MediaWiki. All content (including past revisions) has been migrated. You can find the new wiki at http://wiki.spdx.org/view/ Here's a "Getting started" guide: http://wiki.spdx.org/view/Getting_started And a set of proposed wiki conventions, although they will have to be refined as we gain more experience with the new wiki: http://wiki.spdx.org/view/Wiki_Conventions If you have any questions, please let me know. -- Martin Michlmayr Open Source Program Office, Hewlett-Packard _______________________________________________ Spdx mailing list Spdx@... https://lists.spdx.org/mailman/listinfo/spdx
|
|