|
Reminder Thursday SPDX General Meeting
Philip Odence
Should be a short one with no guest speaker.
European’s note that US has not yet switched back to Standard time, so time is off by an hour from normal.
GENERAL MEETING
Meeting Time: Thurs, Nov2, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the call: https://www.uberconference.com/katestewart Optional dial in number: 877-297-7470 Alternate number: 512-910-4433 No PIN needed
Administrative Agenda Attendance Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2017-10-05
Technical Team Report – Kate
Legal Team Report – Paul
Outreach Team Report – Jack
Cross Functional Issues –All
|
|
|
|
Marriage of SPDX, OpenChain and the Blockchain
Mark Gisi
In 2016 we explored how the benefits of the Blockchain could be leveraged to assist with open source compliance across a complex manufacturing supply chain [1]. Our interest was sparked after witnessing a group of customers struggling to coordinate/consolidate open source compliance artifacts during the manufacturing of a consumer product.
In February 2017 we presented our findings and announced a new initiative at the Open Source Leadership Summit. The focus: Utilize SPDX + OpenChain + Hyperledger Sawtooth to solve the problem. We made the source code available in July 2017 under the Apache license: https://github.com/Wind-River/sparts/blob/master/README.md
Demo Oct 23-25th 2017 in Prague - We will demo the Software Parts Ledger and its support for a Software Parts catalog this week at the Open Source Summit in Prague in the Intel booth (we hope you can stop by if you are around). The demo includes SPDX and OpenChain components. It is schedule for Monday 8am-1pm, Tuesday 8am-1pm, Wednesday, 1pm-6pm.
We will be presenting the latest status of this initiative at the Open Source Compliance Summit in November in Yokohama, Japan: Utilizing Blockchain Across The Supply Chain Asian manufacturers and suppliers have expressed above average interest in this approach.
This has been and still largely is a grass roots initiative – which is how all great things begin (including Linux J). The project is looking for contributors who have a serious interest/pain/stake in solving the problem being addressed (especially product manufacturers and software supplier organizations). The success of any supply chain Blockchain initiative will eventually require heavy involvement of the supply chain participants (e.g., to host ledger/Blockchain nodes, contribute requirements, code, documentation and so forth). We are also looking for a neutral place/organization to host the project which will also be important an requirement for its success in the long term.
Reach out to me if you are interested or would like to learn more.
cheers, Mark
[1]: https://lists.spdx.org/pipermail/spdx-tech/2016-December/003199.html
Mark Gisi | Wind River | Director, IP & Open Source Tel (510) 749-2016 | Fax (510) 749-4552
|
|
|
|
Re: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/
Philippe Ombredanne
On Fri, Oct 20, 2017 at 9:20 AM, Fendt, Oliver <oliver.fendt@siemens.com> wrote:
great to see this direction of development.The MODULE_LICENSE macro used in the kernel is a clear license statement. And better than a terse "Copyright (c) John Doe, GPL" that is seen in the kernel since there is a clear documentation of its meaning in the kernel's module.h [0] : * The following license idents are currently accepted as indicating free * software modules * * "GPL" [GNU Public License v2 or later] * "GPL v2" [GNU Public License v2] * "GPL and additional rights" [GNU Public License v2 rights and more] * "Dual BSD/GPL" [GNU Public License v2 * or BSD license choice] * "Dual MIT/GPL" [GNU Public License v2 * or MIT license choice] * "Dual MPL/GPL" [GNU Public License v2 * or Mozilla license choice] * * The following other idents are available * * "Proprietary" [Non free products] [...] So MODULE_LICENSE("GPL") means clearly "GNU Public License v2 or later" and nothing else. I cannot comment on whether such a license statement would be legally binding or not, but at least there is no ambiguity about what this means. And IMHO this is as good as an SPDX license identifier and as good as it gets short of any other licensing indications. Since the MODULE_LICENSE is only for kernel modules, there was a need for something that could be applied elsewhere, hence the use of SPDX identifiers. Note that there were talks to use a macro instead of a comment. It may come back in the future as it would have the added benefit to inject license ids in the built binaries (the same way a MODULE_LICENSE ends up in a built LKM) [0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/module.h?id=refs/tags/v4.10#n172 -- Cordially Philippe Ombredanne
|
|
|
|
Re: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/
Oliver Fendt
Hi,
great to see this direction of development. This will are least clarify all the files which carry nothing expect the Marko MODUL_LICENSE("GPL"); Because one of the interesting questions is "is this a legally binding expression of licensing?" Ciao Oliver -----Ursprüngliche Nachricht----- Von: spdx-bounces@lists.spdx.org [mailto:spdx-bounces@lists.spdx.org] Im Auftrag von Philippe Ombredanne Gesendet: Donnerstag, 19. Oktober 2017 20:28 An: SPDX-legal; spdx-tech@lists.spdx.org; SPDX-general Betreff: Fwd: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/ FYI: In case you missed it: SPDX identifiers have landed in kernel land... Read the whole thread at https://patchwork.kernel.org/patch/10016189/ And as a side effect, some new patches elsewhere are coming in with SPDX identifiers right in! -- Cordially Philippe Ombredanne ---------- Forwarded message ---------- From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Date: Thu, Oct 19, 2017 at 10:38 AM Subject: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/ To: linux-usb@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Thomas Gleixner <tglx@linutronix.de>, Kate Stewart <kstewart@linuxfoundation.org>, Philippe Ombredanne <pombredanne@nexb.com> It's good to have SPDX identifiers in all files to make it easier to audit the kernel tree for correct licenses. This patch adds these identifiers to all files in drivers/usb/ based on a script and data from Thomas Gleixner, Philippe Ombredanne, and Kate Stewart. Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Kate Stewart <kstewart@linuxfoundation.org> Cc: Philippe Ombredanne <pombredanne@nexb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- Unless someone really complains, I'm going to add this to my tree for 4.15-rc1. diff --git a/drivers/usb/Makefile b/drivers/usb/Makefile index 9650b351c26c..cb8d902b801d 100644 --- a/drivers/usb/Makefile +++ b/drivers/usb/Makefile @@ -1,6 +1,7 @@ # # Makefile for the kernel USB device drivers. # +# SPDX-License-Identifier: GPL-2.0 # Object files in subdirectories [....] long diff of 600 files removed for brevity... _______________________________________________ Spdx mailing list Spdx@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx
|
|
|
|
[PATCH] USB: add SPDX identifiers to all files in drivers/usb/
Philippe Ombredanne
FYI:
In case you missed it: SPDX identifiers have landed in kernel land... Read the whole thread at https://patchwork.kernel.org/patch/10016189/ And as a side effect, some new patches elsewhere are coming in with SPDX identifiers right in! -- Cordially Philippe Ombredanne ---------- Forwarded message ---------- From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Date: Thu, Oct 19, 2017 at 10:38 AM Subject: [PATCH] USB: add SPDX identifiers to all files in drivers/usb/ To: linux-usb@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Thomas Gleixner <tglx@linutronix.de>, Kate Stewart <kstewart@linuxfoundation.org>, Philippe Ombredanne <pombredanne@nexb.com> It's good to have SPDX identifiers in all files to make it easier to audit the kernel tree for correct licenses. This patch adds these identifiers to all files in drivers/usb/ based on a script and data from Thomas Gleixner, Philippe Ombredanne, and Kate Stewart. Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Kate Stewart <kstewart@linuxfoundation.org> Cc: Philippe Ombredanne <pombredanne@nexb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- Unless someone really complains, I'm going to add this to my tree for 4.15-rc1. diff --git a/drivers/usb/Makefile b/drivers/usb/Makefile index 9650b351c26c..cb8d902b801d 100644 --- a/drivers/usb/Makefile +++ b/drivers/usb/Makefile @@ -1,6 +1,7 @@ # # Makefile for the kernel USB device drivers. # +# SPDX-License-Identifier: GPL-2.0 # Object files in subdirectories [....] long diff of 600 files removed for brevity...
|
|
|
|
Oct SPDX General Meeting Minutes
Philip Odence
Here you go: https://wiki.spdx.org/view/General_Meeting/Minutes/2017-10-05
BLACKDUCK
General Meeting/Minutes/2017-10-05 < General Meeting | Minutes
Contents [hide]
Guest Presentation - Alexander Lisianoi[edit]
Tech Team Report - Kate/Gary[edit]
Legal Team Report - Jilayne/Paul[edit]
Outreach Team Report - Jack[edit]
Attendees[edit]
|
|
|
|
Reminder about Thursday SPDX General Meeting (with special guest!)
Philip Odence
Please join us for a special presentation by Alexander Lisianoi another SPDX 2017 Google Summer of Code student participant. He is a software engineer working towards his Masters at Technical University of Vienna, Austria. His project for us was called "Online Validation Tools.” He will describe how took two libraries (boolean.py and license-expression) and converted them from Python to Javascript with a tool called Transcryp.
GENERAL MEETING
Meeting Time: Thurs, Oct 5, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the call: https://www.uberconference.com/katestewart Optional dial in number: 877-297-7470 Alternate number: 512-910-4433 No PIN needed
Administrative Agenda Attendance Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2017-09-07
Guest Presentation – Alexander
Technical Team Report – Kate/Gary
Legal Team Report – Jilayne
Business Team Report – Jack
Cross Functional Issues –All
Phil
BLACKDUCK
|
|
|
|
Re: Package, mandatory?
Gary O'Neall
Hi Jonas,
However, the cardinality is given as "Optional, one or many." I'm notI would call this a bug in the SPDX tools. If you could log an issue in the git repo and upload a tag/value file which reproduces the error, I'll take a look at it (https://github.com/spdx/tools/issues). Thanks for reporting the issues. Gary
|
|
|
|
Re: Package, mandatory?
Kate Stewart
Hi Jonas On Tue, Sep 26, 2017 at 7:11 AM, Jonas Oberg <jonas@...> wrote: Hi everyone, Prior to 2.0, the expectation was that there would only be a single package with a set of files in each SPDX document. When we introduced relationships/identifiers, in 2.0, we were able to extend the specification to handle multiple packages could be present in the same SPDX document (cardinality (Many)). Similarily it was recognized that an SPDX document could be just a grouping of files (ie. a set of binary files and an artificial package to encompass them all was not needed). (hence Optional). I can see though that we should have been clearer. The tools should be able to handle the translation, so yes, go ahead and log a bug there too.
Bug in the spdx-tools, improvement in wording needed in the specification - so please go ahead and log issues against both. Thanks, Kate
|
|
|
|
Package, mandatory?
Jonas Oberg
Hi everyone,
as you know, the FSFE is working on a project, REUSE, which has as one of its recommendations to produce a SPDX conformant bill of materials, if one can be generated automatically. As part of this project, I'm putting together a few template/example repositories which does exactly this. I will definitely make a lot of assumptions in generating the SPDX file, and it won't scale well beyond the example, but it's still an interesting practice. In this, I've discovered what feels like an inconsistency in the specification, or its implementation. I would like to bring your attention to version 2.1, section 3[^1] which deals with the package information. The description is given as "One instance of the Package Information is required per package being described." However, the cardinality is given as "Optional, one or many." I'm not sure exactly how to interpret this, as I noticed the spdx-tools fails when converting from tag format to RDF if I don't have a Package specified. If I know where the bug is (specification, me, spdx-tools), I can file a more appropriate bug report or fix my own code :-) [^1]: https://spdx.org/spdx-specification-21-web-version#h.4i7ojhp Best regards, -- Jonas Öberg Executive Director FSFE e.V. - keeping the power of technology in your hands. Your support enables our work, please join us today http://fsfe.org/join
|
|
|
|
SPDX Sept General Meeting Minutes
Philip Odence
https://wiki.spdx.org/view/General_Meeting/Minutes/2017-09-07
General Meeting/Minutes/2017-09-07 < General Meeting | Minutes
Contents [hide]
Guest Presentation - Krys Nuvadga[edit]
Tech Team Report - Kate/Gary[edit]
Legal Team Report - Jilayne/Paul[edit]
Outreach Team Report - Jack[edit]
Attendees[edit]
|
|
|
|
Re: SPDX recommendations from other communities! :-D
Kate Stewart
On Wed, Sep 6, 2017 at 7:51 AM, Neal Gompa <ngompa13@...> wrote:
Hi Neal, We agree, some tooling is needed to generate the signing of the files that is needed in an SPDX document for an accurate manifest. Both FOSSology and ScanCode are open source projects that scan source projects and generate SPDX documents. Windriver also provides a service to do so too. Kate
|
|
|
|
Re: SPDX recommendations from other communities! :-D
Philip Odence
Sorry, all, didn’t mean to cc the list. But you might find my blog amusing as well.
From: <spdx-bounces@...> on behalf of Philip Odence <podence@...>
Wow, Kate, great stuff! Thanks for sharing. I’ll talk to Jack about putting reference on the website.
In the meantime, for your amusement: http://blog.blackducksoftware.com/open-source-licenses-interesting
From: <spdx-bounces@...> on behalf of Kate Stewart <kstewart@...>
Hi, Just thought some of you might be interested in some recent announcements with SPDX showing up in them.
FSFE just launched a new site today recommending use of SPDX license identifiers in the source files, and generating a manifest from an SPDX document. :-)
Also there are a similar set of recommendations by the Commons Conservancy which also recommend use of the tags, and generation of SPDX documents:
Best regards, Kate
|
|
|
|
Re: SPDX recommendations from other communities! :-D
Philip Odence
Wow, Kate, great stuff! Thanks for sharing. I’ll talk to Jack about putting reference on the website.
In the meantime, for your amusement: http://blog.blackducksoftware.com/open-source-licenses-interesting
From: <spdx-bounces@...> on behalf of Kate Stewart <kstewart@...>
Hi, Just thought some of you might be interested in some recent announcements with SPDX showing up in them.
FSFE just launched a new site today recommending use of SPDX license identifiers in the source files, and generating a manifest from an SPDX document. :-)
Also there are a similar set of recommendations by the Commons Conservancy which also recommend use of the tags, and generation of SPDX documents:
Best regards, Kate
|
|
|
|
Re: SPDX recommendations from other communities! :-D
Neal Gompa
On Wed, Sep 6, 2017 at 8:47 AM, Kate Stewart
<kstewart@linuxfoundation.org> wrote: Hi,I'd like to point out that this recommendation is contingent on being able to automatically scan and generate it. No one is suggesting manual inventory of code to generate SPDX document. -- 真実はいつも一つ!/ Always, there's only one truth!
|
|
|
|
SPDX recommendations from other communities! :-D
Kate Stewart
Hi, Just thought some of you might be interested in some recent announcements with SPDX showing up in them. use of SPDX license identifiers in the source files, and generating a manifest from an SPDX document. :-) Also there are a similar set of recommendations by the Commons Conservancy which also recommend use of the tags, and generation of SPDX documents: Best regards, Kate
|
|
|
|
Thursday SPDX General Meeting Reminder
Philip Odence
Please join us for a special presentation by Krys Nuvadga an SPDX 2017 Google Summer of Code student participant. He is a student of the University of Buea, Cameroon.
Krys is working on the License Coverage Grader tool. This tool takes an SPDX document and pointer to the original source files, and determine a "grade" to quantify how complete the licensing information is at the file level for the code represented by the SPDX document.
GENERAL MEETING
Meeting Time: Thurs, Sept 7, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the call: https://www.uberconference.com/katestewart Optional dial in number: 877-297-7470 Alternate number: 512-910-4433 No PIN needed
Administrative Agenda Attendance Minutes Approval: https://wiki.spdx.org/view/General_Meeting/Minutes/2017-08-03
Guest Presentation – Krys
Technical Team Report – Kate/Gary
Legal Team Report – Jilayne
Business Team Report – Jack
Cross Functional Issues –All
Phil
BLACKDUCK
|
|
|
|
"License Clearance in Software Product Governance"
Kate Stewart
Just spotted a very nice reference to SPDX in Dirk Riehle's paper, and thought those on the list might find the paper interesting as well.
Kate
|
|
|
|
SPDX Aug General Meeting Minutes
Philip Odence
Here are the minutes
https://wiki.spdx.org/view/General_Meeting/Minutes/2017-08-03
Phil
BLACKDUCK
General Meeting/Minutes/2017-08-03 < General Meeting | Minutes
Contents [hide]
Guest Presentation - Rohit[edit]
Tech Team Report - Kate/Gary[edit]
Legal Team Report - Jilayne/Paul[edit]
Outreach Team Report - Jack[edit]
Attendees[edit]
|
|
|
|
Reminder about SPDX General Meeting on Thursday with guest presenter.
Philip Odence
Please join us for a special presentation by Rohit Lodha, another of our Google Summer of Code particpants. I’ll introduce Rohit and his project (on which he will upate us) in his own words: I a third year student pursuing B.E Computer Science at Birla Institute of Technology and Science, Pilani, India (BITS Pilani). I love developing websites and have a huge interest in Python.
GENERAL MEETING
Meeting Time: Thurs, Aug 3, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html
Join the call: https://www.uberconference.com/katestewart Optional dial in number: 877-297-7470 Alternate number: 512-910-4433 No PIN needed
Administrative Agenda Attendance Minutes Approval https://wiki.spdx.org/view/General_Meeting/Minutes/2017-07-06
Guest Presentation – Rohit
Technical Team Report – Kate/Gary
Legal Team Report – Jilayne
Business Team Report – Jack
Cross Functional Issues –All
Phil
BLACKDUCK
|
|
|
