Hello,

I just discovered SPDX and after watching the 3-minute video and
reading through the Web site, I am eager to understand more - and
possibly to participate in the effort, in my capacity as a software
developer.

I develop web applications using the open source Drupal CMS, and each
implementation typically uses tens, if not hundreds, of contributed
modules. Each module as well as the core system are GPL licensed. I
would like to generate a bill of material for the whole application,
and eventually for the server that hosts the application.

My initial thought is to write a software tool that generates a single
SPDX file based on the Drupal installation's metadata - core version,
installed modules, additional libraries, etc.

Is this what would be expected to comply with the SPDX vision?

As follow-up questions:
- Is there a convention to query Web applications for their SPDX (e.g.
a well-known URI) ?
- Are there existing tools within Linux distributions to generate SPDX
for installed packages ?
- Is there a recommended workflow for generating a comprehensive SPDX
document for a given computer (desktop/server) ?

Sorry of these are naive questions - thanks in advance for taking the
time to enlighten me.

Karim

Hi Karim

Thanks so much for your interest and sorry for the slow response!

All of the questions that you have asked are exactly on track with our next
steps for SPDX. Now that we have a v1 of the SPDX spec, we want to start to
create tools that will help developers that create or use OSS to better
generate SPDX files.

Their are several commercial tools that do this, but we also feel that open
source tools will be critical. Today there are a couple of OSS tools that
can help find and identify open source licenses. One is FOSSology (created
and maintained by HP) which is available at fossology.org. They are also
hosting it at OSU's Open Source Lab. Another is ninka (
http://ninka.turingmachine.org/) which was created by Daniel German. I've
cc'd Daniel -- since you may want to talk to him about some of his
experience doing this. I don't believe FOSSology or Ninka will generate an
SPDX file (yet). We also have some free OSS tools on the spdx.org site that
can help you convert a software bill of materials from spreadsheet form into
SPDX format. However that assumes you already have the info about what open
source licenses are included.

We are also looking to create additional tools/toolkits that can be used,
and would love help in that process.

If you are interested in participating, we have three workstreams --
technical, legal and business. Each group holds regular open calls to
discuss issues. You can find more details on the participate section of
spdx.org.

Also, you can sign up for the mailing lists and participate that way as
well.

Kim



On Fri 8/26/11 3:57 PM, "Karim Ratib" <karim.ratib@...> wrote:

Hello,

I just discovered SPDX and after watching the 3-minute video and
reading through the Web site, I am eager to understand more - and
possibly to participate in the effort, in my capacity as a software
developer.

I develop web applications using the open source Drupal CMS, and each
implementation typically uses tens, if not hundreds, of contributed
modules. Each module as well as the core system are GPL licensed. I
would like to generate a bill of material for the whole application,
and eventually for the server that hosts the application.

My initial thought is to write a software tool that generates a single
SPDX file based on the Drupal installation's metadata - core version,
installed modules, additional libraries, etc.

Is this what would be expected to comply with the SPDX vision?

As follow-up questions:
- Is there a convention to query Web applications for their SPDX (e.g.
a well-known URI) ?

Nope. Interesting idea thought

- Are there existing tools within Linux distributions to generate SPDX
for installed packages ?

Nope. We want to create some tools though.

- Is there a recommended workflow for generating a comprehensive SPDX
document for a given computer (desktop/server) ?

Nope.

Sorry of these are naive questions - thanks in advance for taking the
time to enlighten me.

Karim
_______________________________________________
Spdx mailing list
Spdx@...
https://fossbazaar.org/mailman/listinfo/spdx

Kim Weins | Senior Vice President, Marketing
kim.weins@...
Follow me on Twitter @KimAtOpenLogic

650 279 0410 | cell
www.openlogic.com
Follow OpenLogic on Twitter @openlogic

Kim Weins twisted the bytes to say:

Kim> Their are several commercial tools that do this, but we also feel that open
Kim> source tools will be critical. Today there are a couple of OSS tools that
Kim> can help find and identify open source licenses. One is FOSSology (created
Kim> and maintained by HP) which is available at fossology.org. They are also
Kim> hosting it at OSU's Open Source Lab. Another is ninka (
Kim> http://ninka.turingmachine.org/) which was created by Daniel German. I've
Kim> cc'd Daniel -- since you may want to talk to him about some of his
Kim> experience doing this. I don't believe FOSSology or Ninka will generate an
Kim> SPDX file (yet). We also have some free OSS tools on the spdx.org site that
Kim> can help you convert a software bill of materials from spreadsheet form into
Kim> SPDX format. However that assumes you already have the info about what open
Kim> source licenses are included.

I wrote some scripts that will actually do a decent job of generating an
SPDX document. The only (challenge|problem) is that Ninka does not recognized
many of the SPDX licenses. here is an example, using Linux as the Guinea pig:

http://turingmachine.org/~dmg/temp/linux-3.0.2.spdx.v0.1

Notice that this is not a true SPDX compliant document:

- It is licensed under the Creative Commons.
- It has some extra tags that I find useful.
- It does not contain a verification code.

--dmg

--
Daniel M. German
http://turingmachine.org/
http://silvernegative.com/
dmg (at) uvic (dot) ca
replace (at) with @ and (dot) with .

Kim and Daniel,

Thanks for your informative replies. My main interest at this point is
to generate an SPDX from a running Drupal installation, not a source
code repository, if at all feasible - I'll check how Ninka can help
there.

In general, my motivation for exploring the software inventory domain
is not legal as much as it is economically oriented: knowing which
open source packages are used in a project is the first step in
budgeting some resources (money, effort) to go towards those packages'
communities. Being an open source producer/consumer myself, I wish
this was an established practice.

Best,
Karim