Date   

Re: Funding for Hosting On-Line SPDX Tools

Gary O'Neall
 

Hi Mark,

 

Yes – SPDX is using AWS for the hosting (see https://github.com/spdx/spdx-online-tools/issues/194 for a discussion on the hosting options).

 

The deployment is a bit complex (Java/Python/Django/PostgreSQL).

 

Any credits/help is appreciated.

 

I registered the account that is hosting the site – so feel free to contact me for additional details.

 

Gary

 

 

From: spdx@... <spdx@...> On Behalf Of Mark Atwood via lists.spdx.org
Sent: Monday, August 3, 2020 7:15 PM
To: spdx@...; phil.odence@...; Kate Stewart <kstewart@...>
Subject: Re: [spdx] Funding for Hosting On-Line SPDX Tools

 

Is SPDX using AWS for any hosting?  I can probably get gratis AWS credits provided to SPDX.

 

And since SPDX is using Github, then Github pages can be used to host HTML/CSS/JS

 

..m

 

 

Mark Atwood <atwoodm@...>

Principal, Open Source

+1-206-604-2198

 

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence
Sent: Tuesday, July 28, 2020 11:18 AM
To: spdx@...
Subject: [EXTERNAL] [spdx] Funding for Hosting On-Line SPDX Tools

 

The SPDX Work Group needs your help to host on-line tools.

 

As you may know, SPDX runs on shoestring with support from the Linux Foundation but no corporate contributions. There are benefits to the independence this arrangement, but it means we rely on individual contributions to cover modest expenses we do take on. One of those regular expenses is for cloud services to host our wonderful set of on-line tools.

 

We spend $1200/year on hosting. We’d like to line up enough funding to backfill for this year and to build a balance of “money in the bank” to ensure continuity next year. So the goal is $2400 total. As of this writing we are approaching half way there.

 

Please make a contribution of any size through the Linux Foundation CommunityBridge at:

https://funding.communitybridge.org/projects/f0e320d6-9c86-4656-ad4d-97842f25b124

 

BIG THANKS in advance!

 

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_475269920   signature_224475140   signature_97575969   signature_128435618

 


Re: Funding for Hosting On-Line SPDX Tools

Mark Atwood
 

Is SPDX using AWS for any hosting?  I can probably get gratis AWS credits provided to SPDX.

 

And since SPDX is using Github, then Github pages can be used to host HTML/CSS/JS

 

..m

 

 

Mark Atwood <atwoodm@...>

Principal, Open Source

+1-206-604-2198

 

 

 

From: spdx@... <spdx@...> On Behalf Of Phil Odence
Sent: Tuesday, July 28, 2020 11:18 AM
To: spdx@...
Subject: [EXTERNAL] [spdx] Funding for Hosting On-Line SPDX Tools

 

The SPDX Work Group needs your help to host on-line tools.

 

As you may know, SPDX runs on shoestring with support from the Linux Foundation but no corporate contributions. There are benefits to the independence this arrangement, but it means we rely on individual contributions to cover modest expenses we do take on. One of those regular expenses is for cloud services to host our wonderful set of on-line tools.

 

We spend $1200/year on hosting. We’d like to line up enough funding to backfill for this year and to build a balance of “money in the bank” to ensure continuity next year. So the goal is $2400 total. As of this writing we are approaching half way there.

 

Please make a contribution of any size through the Linux Foundation CommunityBridge at:

https://funding.communitybridge.org/projects/f0e320d6-9c86-4656-ad4d-97842f25b124

 

BIG THANKS in advance!

 

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_475269920   signature_224475140   signature_97575969   signature_128435618

 


Re: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

J Lovejoy
 

I just donated using a Visa and it worked.

J.

On Jul 31, 2020, at 9:22 AM, Steve Winslow <swinslow@...> wrote:

Sorry to hear that, McCoy... I've reached out to the CommunityBridge maintainers to ask them to look into this and figure out what's going on. Will let you know what I hear back.

Best,
Steve

On Fri, Jul 31, 2020 at 11:02 AM Shane Coughlan <scoughlan@...> wrote:
Looping our SPDX friends into the thread so they can check this out.

:O

On Jul 31, 2020, at 23:25, McCoy Smith <mccoy@...> wrote:



Not sure who to alert on this, but I’ve tried to donate, and I keep getting rejected.  It won’t accept any credit card of mine. “Failed to Create Credit Card” is the error message I get (both for AmEx & Visa cards).

 

From: main@... <main@...> On Behalf Of Shane Coughlan
Sent: Thursday, July 30, 2020 4:58 PM
To: OpenChain Main <main@...>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>
Subject: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

 

For those with an interest in tooling and SPDX :)



Begin forwarded message:

 

From: "Phil Odence" <phil.odence@...>

Subject: [spdx] Funding for Hosting On-Line SPDX Tools

Date: July 29, 2020 3:18:03 JST

Reply-To: spdx@...

 

The SPDX Work Group needs your help to host on-line tools.

 

As you may know, SPDX runs on shoestring with support from the Linux Foundation but no corporate contributions. There are benefits to the independence this arrangement, but it means we rely on individual contributions to cover modest expenses we do take on. One of those regular expenses is for cloud services to host our wonderful set of on-line tools.

 

We spend $1200/year on hosting. We’d like to line up enough funding to backfill for this year and to build a balance of “money in the bank” to ensure continuity next year. So the goal is $2400 total. As of this writing we are approaching half way there. 

 

Please make a contribution of any size through the Linux Foundation CommunityBridge at:

 

BIG THANKS in advance!

 

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

 

 


<image001.png>

 

 

 

 






--
Steve Winslow
Director of Strategic Programs
The Linux Foundation


Re: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

Phil Odence
 

Thank, Steve. And, McCoy, thanks in advance for the contribution!

Best,

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_1086835228   signature_1086237430   signature_69066209   signature_1717334311

 

 

From: <main@...> on behalf of Steve Winslow <swinslow@...>
Reply-To: "main@..." <main@...>
Date: Friday, July 31, 2020 at 11:22 AM
To: "main@..." <main@...>
Cc: OpenChain Tooling <oss-based-compliance-tooling@groups.io>, "spdx@..." <spdx@...>
Subject: Re: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

 

Sorry to hear that, McCoy... I've reached out to the CommunityBridge maintainers to ask them to look into this and figure out what's going on. Will let you know what I hear back.

 

Best,

Steve

 

On Fri, Jul 31, 2020 at 11:02 AM Shane Coughlan <scoughlan@...> wrote:

Looping our SPDX friends into the thread so they can check this out.

 

:O



On Jul 31, 2020, at 23:25, McCoy Smith <mccoy@...> wrote:

Not sure who to alert on this, but I’ve tried to donate, and I keep getting rejected.  It won’t accept any credit card of mine. “Failed to Create Credit Card” is the error message I get (both for AmEx & Visa cards).

 

From: main@... <main@...> On Behalf Of Shane Coughlan
Sent: Thursday, July 30, 2020 4:58 PM
To: OpenChain Main <main@...>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>
Subject: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

 

For those with an interest in tooling and SPDX :)

 

Begin forwarded message:

 

From: "Phil Odence" <phil.odence@...>

Subject: [spdx] Funding for Hosting On-Line SPDX Tools

Date: July 29, 2020 3:18:03 JST

To: "spdx@..." <spdx@...>

Reply-To: spdx@...

 

The SPDX Work Group needs your help to host on-line tools.

 

As you may know, SPDX runs on shoestring with support from the Linux Foundation but no corporate contributions. There are benefits to the independence this arrangement, but it means we rely on individual contributions to cover modest expenses we do take on. One of those regular expenses is for cloud services to host our wonderful set of on-line tools.

 

We spend $1200/year on hosting. We’d like to line up enough funding to backfill for this year and to build a balance of “money in the bank” to ensure continuity next year. So the goal is $2400 total. As of this writing we are approaching half way there. 

 

Please make a contribution of any size through the Linux Foundation CommunityBridge at:

 

BIG THANKS in advance!

 

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

 

 

<image001.png>

 

 

 

 



--

Steve Winslow
Director of Strategic Programs
The Linux Foundation


Re: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

Steve Winslow
 

Sorry to hear that, McCoy... I've reached out to the CommunityBridge maintainers to ask them to look into this and figure out what's going on. Will let you know what I hear back.

Best,
Steve


On Fri, Jul 31, 2020 at 11:02 AM Shane Coughlan <scoughlan@...> wrote:
Looping our SPDX friends into the thread so they can check this out.

:O

On Jul 31, 2020, at 23:25, McCoy Smith <mccoy@...> wrote:



Not sure who to alert on this, but I’ve tried to donate, and I keep getting rejected.  It won’t accept any credit card of mine. “Failed to Create Credit Card” is the error message I get (both for AmEx & Visa cards).

 

From: main@... <main@...> On Behalf Of Shane Coughlan
Sent: Thursday, July 30, 2020 4:58 PM
To: OpenChain Main <main@...>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>
Subject: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

 

For those with an interest in tooling and SPDX :)



Begin forwarded message:

 

From: "Phil Odence" <phil.odence@...>

Subject: [spdx] Funding for Hosting On-Line SPDX Tools

Date: July 29, 2020 3:18:03 JST

Reply-To: spdx@...

 

The SPDX Work Group needs your help to host on-line tools.

 

As you may know, SPDX runs on shoestring with support from the Linux Foundation but no corporate contributions. There are benefits to the independence this arrangement, but it means we rely on individual contributions to cover modest expenses we do take on. One of those regular expenses is for cloud services to host our wonderful set of on-line tools.

 

We spend $1200/year on hosting. We’d like to line up enough funding to backfill for this year and to build a balance of “money in the bank” to ensure continuity next year. So the goal is $2400 total. As of this writing we are approaching half way there. 

 

Please make a contribution of any size through the Linux Foundation CommunityBridge at:

 

BIG THANKS in advance!

 

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

 

 

<image001.png>

 

 

 

 



--
Steve Winslow
Director of Strategic Programs
The Linux Foundation


Re: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

 

Looping our SPDX friends into the thread so they can check this out.

:O

On Jul 31, 2020, at 23:25, McCoy Smith <mccoy@...> wrote:



Not sure who to alert on this, but I’ve tried to donate, and I keep getting rejected.  It won’t accept any credit card of mine. “Failed to Create Credit Card” is the error message I get (both for AmEx & Visa cards).

 

From: main@... <main@...> On Behalf Of Shane Coughlan
Sent: Thursday, July 30, 2020 4:58 PM
To: OpenChain Main <main@...>; OpenChain Tooling <oss-based-compliance-tooling@groups.io>
Subject: [openchain] [spdx] Funding for Hosting On-Line SPDX Tools

 

For those with an interest in tooling and SPDX :)



Begin forwarded message:

 

From: "Phil Odence" <phil.odence@...>

Subject: [spdx] Funding for Hosting On-Line SPDX Tools

Date: July 29, 2020 3:18:03 JST

Reply-To: spdx@...

 

The SPDX Work Group needs your help to host on-line tools.

 

As you may know, SPDX runs on shoestring with support from the Linux Foundation but no corporate contributions. There are benefits to the independence this arrangement, but it means we rely on individual contributions to cover modest expenses we do take on. One of those regular expenses is for cloud services to host our wonderful set of on-line tools.

 

We spend $1200/year on hosting. We’d like to line up enough funding to backfill for this year and to build a balance of “money in the bank” to ensure continuity next year. So the goal is $2400 total. As of this writing we are approaching half way there. 

 

Please make a contribution of any size through the Linux Foundation CommunityBridge at:

 

BIG THANKS in advance!

 

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

 

 

<image001.png>

 

 

 

 


Re: Requiest for suggestion: wording of SPDX tag

 

I’m on it!

SDPX Team! We have a proposal in from the OpenChain Japan Licensing Information Exchange Work Group. Please see the suggested addition below.

Shane

On Jul 29, 2020, at 11:54, YOSHIYUKI ITO <yoshiyuki.ito.ub@...> wrote:


Hi Shane-san,

May I ask you to provide suggestion to make proposal for SPDX community?

We Lic. Inf. Exch. SWG member discussed about “Usage Profile” for SPDX 3.0 reference as another extensions of SPDX Lite.
And we need to describe information about “Product” name into SPDX file.

Do you suggest any other better wording than “Prerequisite Product” to describe “Identify the name of the target product that used as the prerequisite for license compatibility assumption.” For Tag name of SPDX file?

Regards,
Yoshiyuki Ito.


Re: SPDX license identifier for bzip2 are strange, why?

J Lovejoy
 

< bcc general list as FYI for anyone who wants to follow the discussion, but moving to legal list>

Quick search shows:
- both version were on the list when we moved to the XML format in 2016

However, I’m not clear on if that was both versions or what…

a ha! search on wiki meeting minutes then found this: https://wiki.spdx.org/view/Legal_Team/Minutes/2014-06-26
regarding diff b/w 1.0..5 and 1.0.6

we should check 1.0.7 and 8 against matching guidelines.

that’s all I have for now, it’s late.

higher power, eh? ;)


Cheers,
Jilayne

PS given this quick trip back in time at our process flow for new licenses back then… OMG, LOOK HOW FAR WE’VE COME!!!!


On Jul 29, 2020, at 12:38 PM, Mark Atwood via lists.spdx.org <atwoodm=amazon.com@...> wrote:

Hi!
 
I’ve started looking at the license and the SPDX identifiers on the “bzip2” project.
 
The license looks like a unsurprising BSD variant, but weirdly it’s been getting a versioned license ID with each release version.  The difference between two version seems to be entirely just the data and the software version.
 
Can this instead just match against one of the BSD variant templates?
 
Why does bzip2 get so finely versioned licensed identifiers?  Do we plan on created a new license identifier when bzip2 releases a version 1.0.9?
 
..m
 
 
Mark Atwood <atwoodm@...>
Principal, Open Source
+1-206-604-2198
 
 
 
From: Cressey, Ben <bcressey@...> 
Sent: Wednesday, July 29, 2020 11:03 AM
To: Atwood, Mark <atwoodm@...>
Cc: etaoin, iliana <iweller@...>
Subject: SPDX license identifier for bzip2
 
Hi Mark,
 
iliana suggested I run this by you, as a higher power in the SPDX org.
 
I’m looking to package bzip2 for Bottlerocket. It has an odd license that Fedora dubs “BSD” but which SPDX has a versioned license for:
 
The upstream author seems to revise the license with each new version, though 1.0.7 and 1.0.8 are close except for the date and version:
 
iliana recommended that I use the “bzip2-1.0.6” identifier for now.
 
Perhaps the author could be persuaded to tweak the license so that it doesn’t need a new SPDX identifier for every release? Maybe it doesn’t matter and 1.0.6 is close enough until they change the text in a significant way again?
 
Thanks,
Ben


SPDX license identifier for bzip2 are strange, why?

Mark Atwood
 

Hi!

 

I’ve started looking at the license and the SPDX identifiers on the “bzip2” project.

 

The license looks like a unsurprising BSD variant, but weirdly it’s been getting a versioned license ID with each release version.  The difference between two version seems to be entirely just the data and the software version.

 

Can this instead just match against one of the BSD variant templates?

 

Why does bzip2 get so finely versioned licensed identifiers?  Do we plan on created a new license identifier when bzip2 releases a version 1.0.9?

 

..m

 

 

Mark Atwood <atwoodm@...>

Principal, Open Source

+1-206-604-2198

 

 

 

From: Cressey, Ben <bcressey@...>
Sent: Wednesday, July 29, 2020 11:03 AM
To: Atwood, Mark <atwoodm@...>
Cc: etaoin, iliana <iweller@...>
Subject: SPDX license identifier for bzip2

 

Hi Mark,

 

iliana suggested I run this by you, as a higher power in the SPDX org.

 

I’m looking to package bzip2 for Bottlerocket. It has an odd license that Fedora dubs “BSD” but which SPDX has a versioned license for:

https://spdx.org/licenses/bzip2-1.0.5.html

https://spdx.org/licenses/bzip2-1.0.6.html

 

The upstream author seems to revise the license with each new version, though 1.0.7 and 1.0.8 are close except for the date and version:

https://sourceware.org/git/?p=bzip2.git;a=blob;f=LICENSE;hb=bzip2-1.0.7

https://sourceware.org/git/?p=bzip2.git;a=blob;f=LICENSE;hb=bzip2-1.0.8

 

iliana recommended that I use the “bzip2-1.0.6” identifier for now.

 

Perhaps the author could be persuaded to tweak the license so that it doesn’t need a new SPDX identifier for every release? Maybe it doesn’t matter and 1.0.6 is close enough until they change the text in a significant way again?

 

Thanks,

Ben


Funding for Hosting On-Line SPDX Tools

Phil Odence
 

The SPDX Work Group needs your help to host on-line tools.

 

As you may know, SPDX runs on shoestring with support from the Linux Foundation but no corporate contributions. There are benefits to the independence this arrangement, but it means we rely on individual contributions to cover modest expenses we do take on. One of those regular expenses is for cloud services to host our wonderful set of on-line tools.

 

We spend $1200/year on hosting. We’d like to line up enough funding to backfill for this year and to build a balance of “money in the bank” to ensure continuity next year. So the goal is $2400 total. As of this writing we are approaching half way there.

 

Please make a contribution of any size through the Linux Foundation CommunityBridge at:

https://funding.communitybridge.org/projects/f0e320d6-9c86-4656-ad4d-97842f25b124

 

BIG THANKS in advance!

 

Phil

 

L. Philip Odence

General Manager, Black Duck Audit Business

Synopsys Software Integrity Group, Burlington, MA

M (781) 258-9502 | phil.odence@...

https://www.synopsys.com/audits  

 

 

SIG-emailsig-2020

 

 

signature_475269920   signature_224475140   signature_97575969   signature_128435618

 


Thursday's SPDX General Meeting Reminder - Special Presentation

Phil Odence
 

Special Presentation by Rishabh Bhatnager, one of our Google Summer of Code students

 

Title: Golang Parallel RDF Parser

 

Description: Building a GoLang RDF reader in native GoLang which not only would be useful for the SPDX community but also might help the golang community as a whole. Reducing the time required to parse each file using the concurrent parser.

 

 

About Rishabh: A Blockchain enthusiast interested in open-source who's good at competitive-programming. I'm in the final year of graduation pursuing computer engineering at St. Francis Institute of Technology (Mumbai, India).

 

 

I’m off on Thursday, so Gary will run the show.

 

Best,

Phil 

 

GENERAL MEETING

 

Meeting Time: Thurs, July 2, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approva

 

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 


Re: Thursday's SPDX General Meeting Reminder - Special Presentation

J Lovejoy
 

yes, it's the 4th :)

On 6/3/20 2:04 PM, Jeremiah C. Foster wrote:
Is not Thursday June 4th?

On Wed, 2020-06-03 at 18:58 +0000, Phil Odence wrote:

Special Presentation

 

Title: The Use of SPDX for SBOM Content by the NTIA Software Transparency Initiative

 

Abstract: The NTIA Transparency Initiative has established a Healthcare Proof-of-Concept Working Group in order to evaluate the generation and consumption of SBOMs for Medical Devices.  Multiple Medical Device Manufacturers are creating proof-of-concept SBOMs in the SPDX format in support of this activity. An update on the efforts of this group and their use of SPDX will be provided.

 

Bio: Ed Heierman is a Sr. Product Cybersecurity Architect at Abbott Laboratories, and has 15+ years’ experience with medical device cybersecurity. As part of the Healthcare Proof-of-Concept Working Group, he is leading an effort to define the SBOM content and formats that will be evaluated as part of the NTIA Software Transparency Initiative.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, June 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approva

 

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 




This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you.


Re: Thursday's SPDX General Meeting Reminder - Special Presentation

Jeremiah C. Foster
 

Is not Thursday June 4th?

On Wed, 2020-06-03 at 18:58 +0000, Phil Odence wrote:

Special Presentation

 

Title: The Use of SPDX for SBOM Content by the NTIA Software Transparency Initiative

 

Abstract: The NTIA Transparency Initiative has established a Healthcare Proof-of-Concept Working Group in order to evaluate the generation and consumption of SBOMs for Medical Devices.  Multiple Medical Device Manufacturers are creating proof-of-concept SBOMs in the SPDX format in support of this activity. An update on the efforts of this group and their use of SPDX will be provided.

 

Bio: Ed Heierman is a Sr. Product Cybersecurity Architect at Abbott Laboratories, and has 15+ years’ experience with medical device cybersecurity. As part of the Healthcare Proof-of-Concept Working Group, he is leading an effort to define the SBOM content and formats that will be evaluated as part of the NTIA Software Transparency Initiative.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, June 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approva

 

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 




This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you.


Thursday's SPDX General Meeting Reminder - Special Presentation

Phil Odence
 

Special Presentation

 

Title: The Use of SPDX for SBOM Content by the NTIA Software Transparency Initiative

 

Abstract: The NTIA Transparency Initiative has established a Healthcare Proof-of-Concept Working Group in order to evaluate the generation and consumption of SBOMs for Medical Devices.  Multiple Medical Device Manufacturers are creating proof-of-concept SBOMs in the SPDX format in support of this activity. An update on the efforts of this group and their use of SPDX will be provided.

 

Bio: Ed Heierman is a Sr. Product Cybersecurity Architect at Abbott Laboratories, and has 15+ years’ experience with medical device cybersecurity. As part of the Healthcare Proof-of-Concept Working Group, he is leading an effort to define the SBOM content and formats that will be evaluated as part of the NTIA Software Transparency Initiative.

 

 

GENERAL MEETING

 

Meeting Time: Thurs, June 3, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approva

 

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 


SPDX website updates

Steve Winslow
 

Hello SPDX community,

This is a follow-up from discussions on several of the SPDX general meetings and workgroup calls over the past couple of months. The TL;DR version is:
More details are below for those who are interested. Thank you to everyone who was involved in assisting with the changeover.

Best,
Steve

= = =

The SPDX static website has previously been hosted on Drupal servers at https://spdx.org. This URL has also been used for hosting the files that are dynamically generated for the license list (https://spdx.org/licenses) and the RDF spec definition files (https://spdx.org/rdf/terms and other files under /rdf).

The Drupal servers have been planned for decommission, and we have migrated the static website content over to Wordpress. Originally, we had explored whether both the static and dynamically-generated content could all remain at its existing URLs. However, this did not appear to be reasonably doable without shifting the dynamic license list and RDF content to separate subdomains. Because SPDX has committed to maintaining the existing URLs for those files, we did not want to take this approach.

Instead, as mentioned above, the static content for the website has been shifted over to a new domain, https://spdx.dev. We have created redirects from the old spdx.org URLs over to the new corresponding pages at spdx.dev. Because of this, URLs that you've bookmarked for the static site should still get you to the right content. And URLs that you've bookmarked for the license list and RDF definition files will remain the same, as those are continuing to be hosted from spdx.org.

You'll see that the content at the new https://spdx.dev site is largely identical to the old site, although we have done some reorganization of the top-level links to make the menu bar a bit more usable. Now that the site transition is completed, we are looking to make more updates to some of the content that has grown stale over time. If you have suggestions or content you'd like to add or update, or if you see bugs or errors on the website, please feel free to file an issue at https://github.com/spdx/spdx-website/issues -- for the moment that is probably the easiest way to flag issues.

--
Steve Winslow
Director of Strategic Programs
The Linux Foundation


May SPDX General Meeting Minutes

Phil Odence
 

https://wiki.spdx.org/view/General_Meeting/Minutes/2020-05-07

 

 

General Meeting/Minutes/2020-05-07

General Meeting‎ | Minutes

·         Attendance: 19

·         Lead by Phil Odence

·         Minutes of April meeting

Contents

 [hide

·         1 Presentation - SPDX 2.2 Overview, Kate

·         2 Tech Team Report - Kate / Gary

·         3 Legal Team Report - Jilayne/Paul/Steve

·         4 Outreach Team Report - Jack

·         5 Cross Functional - Steve

·         6 Attendees

Presentation - SPDX 2.2 Overview, Kate[edit]

·         Great job

·         https://docs.google.com/presentation/d/1JGVS6vzGwueTDCBHWUNy9ItEFHZ5BwFZoUZsl7Ccxsw/edit#slide=id.p87

Tech Team Report - Kate / Gary[edit]

·         Spec

·         See above

·         Tools

·         Just released java tools updating to 2.2

·         Will be separate tool for new formats and will be migrating that way in the next month or two

·         Leaner, faster, more modern

·         Python libs support new JSON today

·         Maintaining full forward/backward compatibility

·         GSoC

·         Students will be joining

·         They are getting oriented now

·         Will start coding in a month

Legal Team Report - Jilayne/Paul/Steve[edit]

·         License List

·         Release postponed to Mid-May so as not to clash with 2.2

·         Another week of work on tagging remaining requests

Outreach Team Report - Jack[edit]

·         Twitter

·         SPDX Tools is no a Twitter handle

Cross Functional - Steve[edit]

·         Website

·         Existing website is on Drupal

·         All LF stuff moving to Wordpress

·         Some issues with auto generated pages on Wordpress

·         Critical to maintain URLs

·         Solution- License and RDF will stay at their current locations

·         New site will be sped.dev

·         Full redirects will be in place

·         So no issues for users with migration

·         Contents has been largely maintained

·         Some cleanup of formatting and organization

·         Plan to improve content over time.

 

Attendees[edit]

·         Phil Odence, Black Duck/Synopsys

·         Mark Atwood, Amazon

·         Steve Winslow, LF

·         Kate Stewart, Linux Foundation

·         Alexios Zavras, Intel

·         David Wheeler, Linux Foundation

·         Gary O’Neall, SourceAuditor

·         Matthew Crawford, ARM

·         Jack Manbeck, TI

·         Bradlee Edmondson, Harvard

·         Hal Hearst, Synopsys

·         Anisha Srivastava, Student

·         Takashi Ninjouji, Toshiba

·         Paul Madick

·         Brad Goldring, GTC Law

·         William Bartholomew, GitHub

·         Jilayne Lovejoy, Canonical

·         Matije Suklje, Liferay

·         Philippe Ombrédanne- nexB

 


Thursday's SPDX General Meeting Reminder - Special Presentation

Phil Odence
 

One thing that remains normal in the world is the SPDX General Meeting.

 

This month Kate Stewart will be reviewing what’s new in the just-buttoned-up 2.2 release.

 

GENERAL MEETING

 

Meeting Time: Thurs, May 7, 8am PT / 10 am CT / 11am ET / 15:00 UTC.  http://www.timeanddate.com/worldclock/converter.html


Conf call dial-in:

New dial in number: 415-881-1586

No PIN needed

The weblink for screenshare will stay the same at: 
http://uberconference.com/SPDXTeam

 

Administrative Agenda

Attendance

Minutes Approval:    https://wiki.spdx.org/view/General_Meeting/Minutes/2020-04-02

 

 

Special 2.2 Release Presentation – Kate

 

Technical Team Report – Kate/Gary

 

Legal Team Report – Jilayne/Paul/Steve

 

Outreach Team Report – Jack

 

Any Cross Functional Issues –All

 

 


SPDX 2.2 Specification Review Window - ends May 1, 2020

Kate Stewart
 

Hi all, 
    The SPDX 2.2 specification is now in the final 2 week public review window.
The SPDX tech-list participants have been working on polishing it for the last couple of months and adding in the outstanding pull requests that have been completed.

If you are interested in reviewing this final draft,  the online rendered version can be found at:  https://spdx.github.io/spdx-spec/v2-draft/    (Thank you to Thomas Steenbergen and William Bartholomew for giving us this option, and sorting out the rendering infrastructure!)

If a reviewer spots any issues that need to be fixed before we publish the final version, please create an issue at: https://github.com/spdx/spdx-spec/issues and tag it with the milestone 2.2.

The changes from our 2.1 version of the specification at a high level are: 
  •  JSON, YAML, and a development version of XML have been added as supported file formats.
  • A new appendix "SPDX File Tags" has been added to describe a method that developers can use to document other SPDX file-specific information (such as copyright notices, file type, etc.) in a standardized and easily machine-readable manner. See Appendix IX for more information.
  • A new appendix "SPDX Lite" has been added to document a lightweight subset of the SPDX specification for scenarios where a full SPDX document is not required. See Appendix VIII for more information.
  • Additional relationship options have been added to enable expression of different forms of dependencies between SPDX elements. As well, NONE and NOASSERTION keywords are now permitted to be used with relationships to indicate what is unknown.
  • Additional external repository identifiers have been added to Appendix VI (PURL, SWHids, etc.).
  • Miscellaneous bug fixes and non-breaking improvements as reported on the mailing list and reported as issues on the spdx-spec GitHub repository.
Thanks again to all the contributors who've worked on including these changes!

Kate



Re: Chime instead of Zoom, a modest proposal

Bradley M. Kuhn <bkuhn@...>
 

This would be a good time to note that folks who care about their software
freedom cannot effectively participate in SPDX, and not only because the
conferencing solution is proprietary software (although in the past I was
able to join non-video via a phone number using PSTN line -- this thread
indicates to me that feature might go away now).

In particular, the mailing lists silently one night a year or two ago changed
from GNU Mailman to a proprietary software service with almost no notice. (I
discovered later SPDX was apparently the "test list" that LF used when they
switched all their mailing lists wholesale from a FOSS solution to a
proprietary one, which is why SPDX switched first.) That new service
requires agreement to a proprietary license to interact with its web
interface at all (including to just manage subscription requests), which of
course installs proprietary Javascript on one's computer while using it [0].

I have invited FOSS licensing folks to the SPDX list who refused to join the
mailing list because they didn't want to agree to this proprietary license.
There are thus non-hypothetical examples of SPDX's lack of inclusivity
discouraging participation.

Meanwhile, with the slow move to GitHub for more and more SPDX items, SPDX
has slowly begun to cross the line into using proprietary-access-only GitHub
features. The CLI GitHub clients that use the API can interact with GitHub
issues somewhat. I think (although I haven't checked in about a year) that
GitHub doesn't require you to agree to a proprietary license just to make an
account and use the API. However, the standard web interface to most GitHub
features requires the installation of proprietary software.

So, while James' "must work on Linux" is of course a must, I think this would
be a good moment for SPDX to consider if it wants to dig even deeper into
being a project that has been for some time fundamentally unfriendly to FOSS
enthusiasts. The trend has been in a FOSS-unfriendly direction, and this is
a factor in why I've reduced my volunteer time substantially for SPDX in the
last 6-9 months. I noticed and read through this thread because the subject
line was related to that very issue, and it confirms that I should be
recommending that folks who care about software freedom will probably just
need to avoid the SPDX project.


[0] The only reason I'm still on this mailing list is that the GNU Mailman
subscriptions were auto-imported to the proprietary system, and I since
was a founding member of the inaugural FOSS-Bazaar-Package-Facts list
that became the SPDX lists eventually, I'm still on it. As such, I've
never actually agreed to Linux Foundation's new proprietary license for
its mailing list software, now LF is just sending me (now-unsolicited)
email that I happen to find in my inbox.
--
Bradley M. Kuhn - he/him

Pls. support the charity where I work, Software Freedom Conservancy:
https://sfconservancy.org/supporter/


Re: Chime instead of Zoom, a modest proposal

Jonas Smedegaard
 

Quoting Jeremiah C. Foster (2020-04-15 18:57:24)
On Tue, 2020-04-14 at 16:45 -0400, John Sullivan wrote:
"James Bottomley" <James.Bottomley@...> writes:

Well, I'm glad you asked ... so far the most promising fully open
trial
is this one:

https://bigbluebutton.org/
I've used Jitsi meet a bit and it is pretty decent too;
https://github.com/jitsi/jitsi-meet
For the pragmatic angle of "does it work reliably" I agree that Jitsi is
a viable option.

Any conferencing service _can_ become unreliable when stressed.
Stability for all improves when a) fewest possible participants use
their camera, and b) use newest release of a Chromium-based web browser
(i.e. best to avoid¹ Firefox or Safari or GNOME Web).


One caveat with tools that use WebRTC - there is no E2E encryption yet
in the protocol. Matrix however does have this and I've used its'
video and audio and that works quite well.
True, no general-purpose web browser support E2E encryption for WebRTC
calls, so if you want the convenience of "calling from your browser"
then you cannot have the strongest of security.

That said, WebRTC security is still _better_ than that of non-WebRTC
services like Zoom².

For conferences crucially needing it, WebRTC with E2E encryption _is_
possible, using a dedicated tool (i.e. not a web browser) and the
advanced WebRTC+MLS service at https://wire.com/en/


- Jonas


¹ Because Jitsi until next release (expected few days from now) only
reliably supports Chromium-based web browsers -
https://github.com/jitsi/jitsi-meet/issues/4758 - and Firefox is known
to cause trouble not only for themselves but also for other participants
- https://github.com/jitsi/jitsi-meet/issues/5439 and
https://bugzilla.mozilla.org/show_bug.cgi?id=1164187

² Because Zoom is known to jeopardize security and even practice
newspeak by advertising that they support "e2e" (meaning something else
by that term than the rest of the world):
https://onezero.medium.com/zoom-is-a-nightmare-so-why-is-everyone-still-using-it-1b05a4efd5cc

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private