FW: Thursday SPDX General Meeting

Philip Odence

No special guest star this month, so plan on a <30minute meeting.


Note: I only just realized that I neglected to publish the minutes from the August meeting, so I am including at the bottom.




Meeting Time: Thurs, Aug 4, 8am PDT / 10 am CDT / 11am EDT / 15:00 UTC. http://www.timeanddate.com/worldclock/converter.html

Conf call dial-in:

Optional dial in number: 877-297-7470

Alternate number: 512-910-4433

No PIN needed


Administrative Agenda



Technical Team Report – Kate/Gary


Legal Team Report – Jilayne/Paul


Business Team Report – Jack


Cross Functional Issues – Phil









General Meeting/Minutes/2016-08-04

< General Meeting‎ | Minutes

Jump to: navigation, search

   Attendance: 12

   Lead by Phil Odence

   Minutes of July meeting approved


Contents [hide

          1 Special Guest - Alexios Zavras, Intel

          2 Tech Team Report - Kate

          3 Outreach Team Report - Jack

          4 Legal Team Report - Jilayne

          5 Cross Functional Topics - Phil

          6 Attendees

Special Guest - Alexios Zavras, Intel[edit]

   His role is open source compliance at Intel, based in Munich

                   Now at open source tech center

                   Will be talking about his previous role with Intel Mobile Comms

   Mobile Comms

                   Based in Germany

                   Germans are very process-oriented, well-documented

   His role was SW legal compliance.

                   Ensuring all software legally compliant across all kinds of software

                   They treat all compliance issues as a bug, just like any problem in the software

                   Alexis learned of SPDX and was very pleased and excited about it

                                   Didn’t manage to get everything SPDX based

                                   Started slowly

                                   SPDX is very valuable at many levels

                                                   Even just the license list and standard way of expressing was very helpful

                                                   Quickly standardized on SPDX notations and it started appearing in their documentation etc

                                   Included in training that was mandatory for SW devs and later extended to marketing, legal, biz dev

                                                   Everyone who touches software had to take on-line course with a deeper course available for some

                                   Have developed number of tools, tightly coupled with dev environment

                                                   All developed internally

                                                   very tightly controlled, eg can’t check out code without a ticket

                                                   Tool chain includes license compliance

                                   Central team provides compliance services to dev

                                                   too much for all devs to worry about

                                                   Fits with org structure

                                                   Internal teams reviews all code

                                   Started small, then more widespread and more automated

                                                   Today every release goes though this license compliance check

                                                   Requires ‘stamp of approval’ from central team

                                   To make the central team more efficient

                                                   Save all results

                                                   Including many of the SPDX fields

                                                   Saved in database

                                   Last step, not yet taken, is to generate an SPDX doc for each release

                                                   Just held up by organizational issues, technically feasible

                                                   Being worked on

                                                   Have started getting the request from customers

                                                                   Not mentioning SPDX by name, have not seen that yet,

                                                                   but asking for data that SPDX covers, files, license, etc

                                                                   (both are with Euro customers)

                                   When they generate SPDX

                                                   Permissive license require attribution

                                                   They’ve had an issue with that going back 5 years

                                                   Their policy to handle is to deliver all OSS in source form

                                                   So, therefore include attribution in comments

                                                   They include a list of open source and model licenses, but the attribution is all in source code

                                   Example- Modem company

                                                   Intel provides chips and software in binary form

                                                   Packaging: With binary they include

                                                                   all source for open source in binary

                                                                   And, list of conditions for any 3td party proprietary code

                                   Are they being asked for security vulnerabilities associated with components

                                                   Not yet, but they are thinking about it with respect to naming (CPEs, etc)

   AZ- “Thanks for the wonderful work. It’s really helpful.”


Tech Team Report - Kate[edit]


                   Collecting feedback

                   Addressing as it comes it

   Gary has taken a pass at updating tools

   In the polishing stage

                   One more round of feedback

                   Into publishing mode as of Tuesday

   Bake Offs

                   Possible SF 9/27 and Europe at LCon

                   Needs to be nailed down in the next couple week.

Outreach Team Report - Jack[edit]


                   Still working this week

                   Will review at next week’s meeting

                   Should be close with go live; shooting for Linux Con NA

                   Still looking for some improvements that will require work from the Linux Foundation team

                                   No show stoppers

                   Will send out link for review

Legal Team Report - Jilayne[edit]

   XML review

                   Still plugging away

                   Timeline set

   2.5 release

                   Just a few licenses

                   Aiming for end of Oct

                   See Legal Team meeting mins for detail

                   Could use all the help they can get; lots to do

                                   To review new XML master format for every license


Cross Functional Topics - Phil[edit]

   Guest stars

                   Always looking for more



   Phil Odence, Black Duck

   Alexios Zavras, Intel

   Kate Stewart, Linux Foundation

   Jilayne Lovejoy, ARM

   Scott Sterling, Palamida

   Robin Gandhi, UNO

   Jack Manbeck, TI

   Yev Bronshteyn, Black Duck

   Matt Germonprez, UNO

   Michael Herzog- nexB

   Georg Link, UNO

   Mike Dolan, Linux Foundation

              NewPP limit report CPU time usage: 0.009 seconds Real time usage: 0.011 seconds Preprocessor visited node count: 23/1000000 Preprocessor generated node count: 28/1000000 Post‐expand include size: 0/2097152 bytes Template argument size: 0/2097152 bytes Highest expansion depth: 2/40 Expensive parser function count: 0/100 Saved in parser cache with key spdx_mwiki:pcache:idhash:1048-0!*!*!!en!*!* and timestamp 20160830122940 and revision id 3956