|
status of git repositories?
Peter A. Bigot
From an email in the OpenEmbedded development group I've found SPDX,
and would like to try following the current specification in a new open source project I'm going to release. Ideally I'd like to be able to put tag values into the source files and have them automatically extracted. So, I'm looking for SPDX-related tools. I see from email earlier this month that there was some sort of problem which explains why the tools page link to http://git.linuxfoundation.org/?p=spdx-tools.git;a=tree does not work (it comes back with "no such project"). I'd also somewhere run across minutes from a meeting a couple months ago suggesting the tools were going to be split into separate Python and Java repositories, so perhaps the link is simply out of date. Are these tools still available anywhere, or will they be restored anytime soon? Thanks. Peter
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
SPDX General team meeting schedule
Kirsten Newcomer
Hi all,
My apologies for the missed General team meeting today. I had a conflict today and didn't realize that Phil was also unavailable.
The next SPDX General meeting will be held on Thursday, December 1, at the usual time of 11 am ET.
We'll talk to you then! Thanks!
Kirsten
Kirsten Newcomer
Senior Product Manager Black Duck Software, Inc. knewcomer@... Office: +1.781.810.1839 Mobile: +1.781-710-2184
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Re: Status of spdx.org
Tom "spot" Callaway
On 11/11/2011 12:25 AM, Martin Michlmayr wrote:
- I was asked to install mediawiki a few months ago but afaik thisI am not currently active on SPDX efforts at the moment, as it is unclear whether or not Fedora will participate going forward at this point. I suppose you don't have to add mediawiki just for me then. ~tom == Fedora Project
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Status of spdx.org
Martin Michlmayr
I'm happy to say that spdx.org is back. Here is a status update.
What works: - Web site: spdx.org (as well as fossbazaar.org) are back. You should have received an email already on how to reset your password. - Mailing lists: all spdx lists (spdx, spdx-tech, spdx-legal and spdx-biz) are working again; see https://fossbazaar.org/mailman/listinfo for archives and more information. If you have subscribed to an SPDX list in the past, you are already subscribed; there's no need to re-subscribe. Questions and input needed: - I performed an audit of the code (i.e. the software behind our web site). I also looked at the web site and it seems that everything looks ok. However, if you notice any problems with the web site, the mailing lists or anything else, let me know. We had to re-install everything, so it's possible that there are some problems I'm not aware of. - I was asked to install mediawiki a few months ago but afaik this was not used at all. I've therefore no plans to install it... is this ok or do you need it? (Note: this is not the wiki at spdx.org/wiki but a separate wiki that Tom Callaway requested) - Sandbox (we had a test site where Steve Cropper and others were working on a new design of the web site): I emailed Steve to see what the requirements are. Things I cannot help with: - The bug tracker and the git repos are on LF infrastructure and not done by me. I don't have an estimate on when they'll be back. Kate is already in contact with the LF admins on this, however. Any questions or problems - please let me know. Martin P.S. Thanks to Jeff Licquia and Eric Searcy from the Linux Foundation for their help getting things back. -- Martin Michlmayr Open Source Program Office, Hewlett-Packard
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
SPDX General Meeting today
Philip Odence
Sorry for the late reminder; I'm just getting back into the post-LinuxCon groove.
Meeting Time: Sept 8, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Conf call dial-in: Conference code: 7812589502 Toll-free dial-in number (U.S. and Canada): (877) 435-0230 International dial-in number: (253) 336-6732 For those dialing in from other regions, a list of toll free numbers can be found: https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF Administrative Agenda
Technical Team Report - Kate
Legal Team Report - Rockett/Karen
Business Team Report - Kim
Cross Functional Issues – Phil
Handling "over the transom" requests for information on the various lists.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Re: Clarification on purpose and participation
Karim Ratib <karim.ratib@...>
Kim and Daniel,
toggle quoted messageShow quoted text
Thanks for your informative replies. My main interest at this point is to generate an SPDX from a running Drupal installation, not a source code repository, if at all feasible - I'll check how Ninka can help there. In general, my motivation for exploring the software inventory domain is not legal as much as it is economically oriented: knowing which open source packages are used in a project is the first step in budgeting some resources (money, effort) to go towards those packages' communities. Being an open source producer/consumer myself, I wish this was an established practice. Best, Karim
On Sat, Sep 3, 2011 at 12:48 PM, D M German <dmg@...> wrote:
Kim Weins twisted the bytes to say:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Re: Clarification on purpose and participation
dmg
Kim Weins twisted the bytes to say:
Kim> Their are several commercial tools that do this, but we also feel that open Kim> source tools will be critical. Today there are a couple of OSS tools that Kim> can help find and identify open source licenses. One is FOSSology (created Kim> and maintained by HP) which is available at fossology.org. They are also Kim> hosting it at OSU's Open Source Lab. Another is ninka ( Kim> http://ninka.turingmachine.org/) which was created by Daniel German. I've Kim> cc'd Daniel -- since you may want to talk to him about some of his Kim> experience doing this. I don't believe FOSSology or Ninka will generate an Kim> SPDX file (yet). We also have some free OSS tools on the spdx.org site that Kim> can help you convert a software bill of materials from spreadsheet form into Kim> SPDX format. However that assumes you already have the info about what open Kim> source licenses are included. I wrote some scripts that will actually do a decent job of generating an SPDX document. The only (challenge|problem) is that Ninka does not recognized many of the SPDX licenses. here is an example, using Linux as the Guinea pig: http://turingmachine.org/~dmg/temp/linux-3.0.2.spdx.v0.1 Notice that this is not a true SPDX compliant document: - It is licensed under the Creative Commons. - It has some extra tags that I find useful. - It does not contain a verification code. --dmg -- Daniel M. German http://turingmachine.org/ http://silvernegative.com/ dmg (at) uvic (dot) ca replace (at) with @ and (dot) with .
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Re: Clarification on purpose and participation
Kim Weins
Hi Karim
Thanks so much for your interest and sorry for the slow response! All of the questions that you have asked are exactly on track with our next steps for SPDX. Now that we have a v1 of the SPDX spec, we want to start to create tools that will help developers that create or use OSS to better generate SPDX files. Their are several commercial tools that do this, but we also feel that open source tools will be critical. Today there are a couple of OSS tools that can help find and identify open source licenses. One is FOSSology (created and maintained by HP) which is available at fossology.org. They are also hosting it at OSU's Open Source Lab. Another is ninka ( http://ninka.turingmachine.org/) which was created by Daniel German. I've cc'd Daniel -- since you may want to talk to him about some of his experience doing this. I don't believe FOSSology or Ninka will generate an SPDX file (yet). We also have some free OSS tools on the spdx.org site that can help you convert a software bill of materials from spreadsheet form into SPDX format. However that assumes you already have the info about what open source licenses are included. We are also looking to create additional tools/toolkits that can be used, and would love help in that process. If you are interested in participating, we have three workstreams -- technical, legal and business. Each group holds regular open calls to discuss issues. You can find more details on the participate section of spdx.org. Also, you can sign up for the mailing lists and participate that way as well. Kim On Fri 8/26/11 3:57 PM, "Karim Ratib" <karim.ratib@...> wrote: Hello,Nope. Interesting idea thought - Are there existing tools within Linux distributions to generate SPDXNope. We want to create some tools though. - Is there a recommended workflow for generating a comprehensive SPDXNope.
Kim Weins | Senior Vice President, Marketing kim.weins@... Follow me on Twitter @KimAtOpenLogic 650 279 0410 | cell www.openlogic.com Follow OpenLogic on Twitter @openlogic
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Canceled Event: SPDX Legal Workstream Call 11ET/10CT/8PT @ Wed Aug 31 8am - 9am (spdx@fossbazaar.org)
Esteban Rockett <mgia3940@...>
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Updated Invitation: SPDX Legal Workstream Call 11ET/10CT/8PT @ Wed Aug 31 8am - 9am (spdx@fossbazaar.org)
Esteban Rockett <mgia3940@...>
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Clarification on purpose and participation
Karim Ratib <karim.ratib@...>
Hello,
I just discovered SPDX and after watching the 3-minute video and reading through the Web site, I am eager to understand more - and possibly to participate in the effort, in my capacity as a software developer. I develop web applications using the open source Drupal CMS, and each implementation typically uses tens, if not hundreds, of contributed modules. Each module as well as the core system are GPL licensed. I would like to generate a bill of material for the whole application, and eventually for the server that hosts the application. My initial thought is to write a software tool that generates a single SPDX file based on the Drupal installation's metadata - core version, installed modules, additional libraries, etc. Is this what would be expected to comply with the SPDX vision? As follow-up questions: - Is there a convention to query Web applications for their SPDX (e.g. a well-known URI) ? - Are there existing tools within Linux distributions to generate SPDX for installed packages ? - Is there a recommended workflow for generating a comprehensive SPDX document for a given computer (desktop/server) ? Sorry of these are naive questions - thanks in advance for taking the time to enlighten me. Karim
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
No SPDX General Meeting...next one Sept 8
Philip Odence
To let everyone catch a late summer breath in the wake of the V1.0 release, we'll not be holding a general meeting this week. LinuxCon SPDX Summary It was a great event. The main focus was the 20th anniversary of Linux, but despite that, the first slide of Jim Zemlin's opening was the SPDX 1.0 announcement. Several hours before that, we put out a press release (well done, Kim) with a number of great quotes from the community. Rockett and I presented details of the 1.0 release to a group of about 40 and the news was well received. As you know we had a booth; none of the booths were terribly active, but we did have folks stop by the SPDX booth each day. We also had a BoF (Birds of a Feather) session with about a dozen participants. A few issues came up in that session which we will be discussing in the various teams. The main thrusts of the discussion were around hierarchy/nesting of SPDX files and licensing of the data. On the latter point, there was concern about the unfamiliarity of the PDDL, and that it would impede adoption. Again, congrats to everyone who contributed to the 1.0 release…onward and upward.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
LinuxCon: I have an extra ticket to the gala
dmg
in case somebody needs one... let me know...
-- -- Daniel M. German http://turingmachine.org/ http://silvernegative.com/ dmg (at) uvic (dot) ca replace (at) with @ and (dot) with .
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
SPDX V1.0 Announced
Philip Odence
Congrats and thanks (from Vancouver) to everyone who has been involved with SPDX. Best, Phil L. Philip Odence Vice President of Business Development Black Duck Software, Inc. 265 Winter Street, Waltham, MA 02451 Phone: 781.810.1819, Mobile: 781.258.9502 Skype: philip.odence
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Re: Cancelled: SPDX Business (Rollout) Call 11ET/8PT
guillaume.rousseau@antelink.com
Hi everyone,
I was wondering if the final version of the press release was avalailable, and when it will be released (should be tomorrow). best regards, Guillaume Le 15/08/11 18:27, Kim Weins a écrit :
-- Guillaume ROUSSEAU CEO, Co-Founder, Antelink Président, Cofondateur, Antelink 18, rue Yves Toudic, 75010, Paris 10ème, France http://www.antelink.com/ +33 1 42 39 30 78
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Cancelled: SPDX Business (Rollout) Call 11ET/8PT
Kim Weins
We will be doing the rollout for SPDX 1.0 at LinuxCon NA.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Re: Revised SPDX TM License, and Draft Attribution Statements
Peter Williams <peter.williams@...>
Does this license allow you to use the trademarks in relation to
toggle quoted messageShow quoted text
software and service offerings which produce, consume or generally involve SPDX files? Peter openlogic.com
On Thu, Aug 11, 2011 at 6:07 AM, Esteban Rockett <mgia3940@...> wrote:
All:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Revised SPDX TM License, and Draft Attribution Statements
Esteban Rockett <mgia3940@...>
All:
For discussion on today's "All Hands Call", below please find (i) a revised "SPDX TM License" draft and (ii) draft Attribution Statements. Many thanks, Rockett *** SPDX™ Trademark License (v2) (new text in underlined)
The “SPDX” and “Software Package Data Exchange” trademarks (collectively, “SPDX Trademarks”) are owned by the SPDX Workgroup, which is sponsored by the Linux Foundation (“LF”). LF holds the SPDX Trademarks in trust for the SPDX Workgroup. The SPDX Workgroup hereby grants you a royalty-free, non-exclusive, non-assignable, non-transferable, non-sublicensable, world-wide license to use its SPDX Trademarks in connection with files containing software licensing information if you: (i) solely use the SPDX Trademarks in connection with files containing all of the SPDX “Mandatory Fields” as defined in the applicable version of the SPDX specification as published on www.spdx.org ("SPDX Specification"); (ii) solely uses the SPDX Trademarks in connection with files that do not utilize additional fields, unless such additional fields are (a) “Optional Fields” as defined in the applicable version of the SPDX Specification or (b) otherwise explicitly permitted in the applicable version of the SPDX Specification; (iii) recite the applicable SPDX Specification version in, or with, your use of any of the SPDX Trademarks; and (iv) fully comply with (a) the applicable version of the SPDX Specification and (b) the license (Creative Commons Attribution License 3.0 Unported (also known as CC-BY-3.0)) under which each SPDX Specification is offered in its entirety.
This SPDX TM License shall automatically be revoked in perpetuity if you fail to comply with any of the above requirements. A revoked SPDX TM License may only be restored by (i) you submitting a petition for restoration to the Legal Team of the SPDX Workgroup (“Legal Team”), (ii) attending any required meetings for inquiry in the circumstances, and (iii) a consensus of the Legal Team to restore your license. *** (ii) draft Attribution Statements. New Section 1.7.2 1.7.2.1 The official copyright notice to be used with any verbatim reproduction and/or distribution of this SPDX Specification 1.0 is: "Official SPDX Specification 1.0. Copyright © 2010-2011 Linux Foundation and its Contributors. Licensed under the Creative Commons Attribution License 3.0 Unported. All other rights are expressly reserved." -- note, we should add the same to Section 2.1 to be embedded in compliant "SPDX files" -- 1.7.2.2 The official copyright notice to be used with (i) any non-verbatim reproduction and/or distribution of this SPDX Specification, including without limitation any partial use or combining this SPDX Specification with another work, or (ii) any SPDX file which is not compliant with this SPDX Specification and SPDX Trademark License, is: "This is not an official SPDX Specification or SPDX file. Portions herein have been reproduced from SPDX Specification 1.0 found at www.spdx.com. These portions are Copyright © 2010-2011 Linux Foundation and its Contributors, and are licensed under the Creative Commons Attribution License 3.0 Unported by the Linux Foundation and its Contributors. All other rights are expressly reserved by Linux Foundation and its Contributors." *** -- Motorola Mobility, Inc. E.A. Rockett Senior Counsel Software, Applications & Digital Content Licensing (408)541-6703 (O) (408)541-6900 (F) (415)508-7625 (M) rockett@...
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
20110810 draft of SPEC posted
Kate Stewart <kate.stewart@...>
Latest draft can be found: http://www.spdx.org/wiki/spdx/specification
Help with cleaning it up editorially is most appreciated. Thanks, Kate
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
SPDX General Meeting Agenda and Reminder for Thursday's meeting
Philip Odence
I am on vacation, so Kirsten will host… Meeting Time: June 30, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html Conf call dial-in: Conference code: 7812589502 Toll-free dial-in number (U.S. and Canada): (877) 435-0230 International dial-in number: (253) 336-6732 For those dialing in from other regions, a list of toll free numbers can be found: https://www.intercallonline.com/portlets/scheduling/viewNumbers/viewNumber.do?ownerNumber=6053870&audioType=RP&viewGa=false&ga=OFF Administrative Agenda
Technical Team Report - Kate Legal Team Report - Rockett/Karen Business Team Report - Kim Cross Functional Issues – Discussion Website
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|