SPDX General Meeting Minutes

Philip Odence

Thanks again to Gary and the UNO team for the interesting presentation.

L. Philip Odence
General Manager Audit Services
Vice President of Corporate and Business Development
Black Duck Software, Inc.
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence

General Meeting/Minutes/2015-07-02

  • Attendance: 15
  • Lead by Phil Odence
  • Minutes of May meeting approved

UNO - Matt Germonprez[edit]

  • Tools
    • DoSOCS - evolved from Yacto tool
      • Generalized to create ways of generating SPDX docs from various dev processes
      • Resulted DoSOCS- Ways to scan packages and repos (now source, but in theory binary) to generate SPDX
        • Main use case is generating SPDX 2.0 docs
        • Store in a relational database - trick was mapping obj-oriented SPDX to rel database
        • Very generic. Even on the back end; developed with FOSSology, but could plug in commercial scanners
        • Future- intake of SPDX
        • Idea is that this will eventually pull in all tools Git, Yacto, etc
        • And, can be tied into Jenkins
        • Ultimately will support an enterprise process to maintain a inventory of SPDX docs that come out of their processes
      • Also exploring production of security vulnerability info
        • Looking for where vulnerability info could be stored.
        • Need a spot for CPE (and other common ID standards)
        • Which would allow for vulnerability info
        • Tech team has been pursuing this idea
        • Group needs to address the mission creep issue
    • Git Scanner
      • Analyzes branch and contributes SPDX doc
    • Eclipse Plug In

Tech Team Report - Kate & Gary[edit]

  • Proposal for wording on Snippets 
    • Up as a Googledoc and available for review
  • Also one for None/No Assertion
  • Some discussion of best practices as well
    • Looking for folks to sign up on the wiki page to write up parts
  • Kicked of discussion Bake Off and what examples to use
  • BillS writing up proposal for including external component identifiers (GAV, CPE, others)
    • General agreement with concept
  • Tools
    • Discussion has been going for a couple months about mapping/reconciling various sources of tools (SPDX group, UNO)
    • Bakeoff at LinuxCon NA (Monday, 8-noon)
      • Will have 2-3 examples
        • Candidates are examples on best practices page
      • Tool providers will provide SPDX docs 
      • Should learn a lot from comparisons

Legal Team Report - Paul[edit]

  • Putting together rev License List (2.1) including exceptions
    • Lots of new exceptions
  • Mark Gisi is leading exploration of standard headers

Biz Team Report - Jack[edit]

  • Working on new guidance pages
    • Phil and Jack have been prototyping
  • LinuxCon
    • Back off Monday
    • Aiming for BoF on Tuesday
    • SPDX talk from Gary (Tues am)
    • Mark will be giving a more general talk that will relate to SPDX (Tues pm)

Cross Functional Topics - Phil[edit]

  • Continually looking for presenters for General Meeting


  • Phil Odence, Black Duck
  • Mike Dolan, Linux Foundation
  • Mark Gisi, Wind River
  • Scott Sterling, Palamida
  • Gary O’Neill, SourceA
  • Kate Stewart, LF
  • Hassib Khanafer, Protecode
  • Paul Maddick, HP
  • Scott Lamons
  • Jack Manbeck, TI
  • Matt Germonprez, UNO
  • Tom Gurney, UNO
  • Uday Shankar, UNO
  • Michael H- nexB
  • Kirsten Newcomer, Black Duck