Hi Terin, Can you give us a real life use case where either "NONE" or "NOASSERTION" should be used in combination with other licenses? If there's a compelling use case as to why it should be allowed,

Hi Terin Neither could we. :-) Ah yes, that should be considered. Right now when NONE or NOASSERTION are permitted, they are associated with the actual fields in the specification (ie. LicenseConclude

Hi Yev, The spec you linked to was the one I created for las week's call. Is there a different document we should be refering to? Thanks, Kate

Hi Philippe, The document you commented on was from last week's discussion. Your input is appreciated and you're opinion is lining up with some of the thoughts expressed as part of the external identi

here's the link: https://docs.google.com/document/d/1j6LWnkh5GbMV9Xo5_zJ0wTNLROEIa4o1OU279YueI90/edit

The SPEC being referred to is a NIST one, rather than ANSI. see: http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060 Which is open. Its in its second reading right now, and its in a public

The base document that these changes are being proposed for is SPDX 2.0 see: http://spdx.org/SPDX-specifications/spdx-version-2.0 The goal of software package data exchange (SPDX) is to create a commo

Hi Uday, Proposal was to permit use of either. It was not mandating that one or another needs be used. Agree. Also, see appendix A in NIST-8060 where CPE can be derived from SWID. see: http://csrc.nis

There is no SPDX tag - per se. An SPDX document for a package contains hash codes at the file level. (SHA1, SHA256 ), as well as an algorithm for a verification code to be generated from the component

Hi Uday, I don't think so. This is an optional field to permit linkage to security information IF it exists. If it doesn't exist, its more the responsibility of the package creator or distributor to r

Hi Richard, Very cool. typo? Is at: http://spdx.org/licenses/exceptions-index.html Its available from the http://spdx.org/licenses/ page Syntax in the specification right now [1] for things not includ

Thanks. I've forward the info to the folks with web access, and we'll get it fixed. Agree. Possibly something like LicenseRef-Rasbperry-Pi-firmware would be short and descriptive. Actual syntax in the

Hi, As part of the discussion tomorrow I'd like to get some input on the options for new branding for SPDX. As SPDX is one of the underpinings to support open compliance, it would be good if our logo'

Hi Phil, Yes, that is the concern that is motivating this proposal. Not at this time, but the new logo ideas were designed by the same designer that work on the open compliance logo. Both options have

For those interested in improving the automated tracking of copyright, licensing and security information in the supply chain, we've managed to get a Supply Chain mini-summit added on after LinuxCon o

Hi Dave, Welcome. :-) Information on the general meetings and past minutes can be found on: http://wiki.spdx.org/view/General_Meeting Kate

Greetings, The tech team is winding up the remaining minor changes, and has declared the SPDX 2.1 specification ready for wider public review. The review window will end on July 29th, and if there are

Thanks Gary, Sorry I had to leave mid way through the report. Couple of minor adjustments to the minutes. The review window for SPDX 2.1 spec is now closed. Its been open for a 1.5 months, and feedbac

Hi Michael, Yes, feel free to join us on the weekly call (Tuesday at 1pm Eastern) details: http://wiki.spdx.org/view/Technical_Team for Q&A or send email to spdx-tech@... with your question

Hi, The SPDX tech team will be hosting an SPDX Tools BakeOff at LinuxCon Europe on 6 October 2016. Participation can be remote by phone or in person. The Bake-off (also known by some as a Plugfest) wi