https://wiki.spdx.org/api.php?action=feedcontributions&feedformat=atom&user=GoneallSPDX Wiki - User contributions [en]2026-05-07T11:16:56ZUser contributionsMediaWiki 1.23.13https://wiki.spdx.org/view/Technical_Team/MinutesTechnical Team/Minutes2022-06-09T16:10:36Z<p>Goneall: </p>
<hr />
<div>NOTE: More recent meeting minutes are now available at https://github.com/spdx/meetings/tree/tech-2022-06-07/tech<br />
<br />
{{#subpages:|limit=500|format=ul|kidsonly=no|pathstyle=none|sort=desc}}<br />
<br />
[[Category:Technical|Minutes]]<br />
[[Category:Minutes]]<br />
[[Technical Team/Minutes/CollabSummitPhotos|White Boards from Collab Summit]]</div>Goneallhttps://wiki.spdx.org/view/General_Meeting/Minutes/2021-08-05General Meeting/Minutes/2021-08-052021-08-05T23:06:38Z<p>Goneall: Created page with "* Attendance: 29 * Lead by Gary O’Neall * Minutes of July meeting Approved == New License Matching Library == * Presented by Mikihito Matsuura * Slides: https://docs.googl..."</p>
<hr />
<div>* Attendance: 29<br />
* Lead by Gary O’Neall<br />
* Minutes of July meeting Approved<br />
<br />
== New License Matching Library ==<br />
<br />
* Presented by Mikihito Matsuura<br />
* Slides: https://docs.google.com/presentation/d/10n5CSE_LP0HDznhb6_P6zmyA4QpKJX3b_VhOvnF3nuk/edit?usp=sharing <br />
* PyPI: https://pypi.org/project/yalm/ <br />
* GitHub repo: https://github.com/m1kit/yalm-python/ <br />
* GitHub resources repo: https://github.com/m1kit/yalm-resources/tree/dist<br />
* Uses 2 step process, word matching, then regex<br />
* Looking to extend beyond python, to ruby, etc. <br />
* Proposal JSON format for template – Should we standardize JSON?<br />
* Vulnerable regexes in templates – regex matches may match unintended text<br />
* What about a ML engine? Its focus is actual match rather than detection. <br />
** Goal is license matching, not license detection<br />
* Which matching guidelines are covered and which still needs to be implemented<br />
** Some are not covered<br />
** Suggest documenting which matching guidelines are not implemented<br />
** Perhaps tune the matching guidelines and license templates<br />
* Use of the XML format<br />
** XML is used as input<br />
* Additional questions and follow-up on a joint technical-legal team<br />
* Suggestion PyPI should have spdx- in the name - <br />
<br />
<br />
== Validate and Generate multiple representations of specifications ==<br />
* Presented by Nirmal Praveen Suthar<br />
* Slides: https://docs.google.com/presentation/d/17xrxcJ-74DfFmdZl99ogZTWa-MOgKuKW1PH6Qq5C4sg/edit?usp=sharing <br />
* Relevant links: <br />
** Parser: https://github.com/spdx/spec-parser <br />
** spec-v3-template example: https://github.com/spdx/spec-v3-template* Populates internal graph structure, namespace model. LALR is sufficient, but opportunity for improvement.<br />
* Generate a JSON Representation of the Specification from Structured Markdown<br />
* Transforms spec into “pretty markdown” and RDF OWL – the latter can be used to generate other schemas used by tools<br />
* Validation and report of errors<br />
* Reduce redundancy (e.g. handling defaults)<br />
* Adds reference sections<br />
<br />
== Outreach Team Report - Sebastian/Jack ==<br />
* Weekly meetings – Moved to Wednesday<br />
* Update WikiPedia entry – currently terribly out of day<br />
* Will start with Podcasts<br />
* Follow-up with RSS feeds<br />
* Updates for the Wordpress website – will be a topic for the next meeting<br />
* IRC is up and running and doing well<br />
* Please take the SBOM readiness survey: https://www.linuxfoundation.org/press-release/linux-foundation-research-announces-software-bill-of-materials-sbom-readiness-survey/<br />
* Upcoming “town hall” will discuss tooling – see https://events.linuxfoundation.org/supply-chain-town-hall/program/schedule/ <br />
* DOCFest September 16 – see https://lists.spdx.org/g/Spdx-tech/message/4142<br />
<br />
== Legal Team Report - Jilayne/Paul/Steve ==<br />
* Next team call today – issues pending for release<br />
* Next release is expected Saturday or Sunday<br />
* Nothing technical expected in this release<br />
<br />
== Tech Team Report - Kate/Gary/Others ==<br />
* Specification – continuing to work through element and document interaction and modeling as well as identifier naming<br />
** Making progress on 3.0<br />
<br />
== Other Topics ==<br />
None<br />
<br />
== Attendees ==<br />
<br />
* Kate Stewart<br />
* Maximilian Huber -<br />
* Sebastian Crane<br />
* Tony Aiuto<br />
* David Edelsohn<br />
* Gary O'Neall<br />
* Christopher Lusk -<br />
* Philippe-Emmanuel Douziech<br />
* Mikihito Matsuura (GSoC student)<br />
* Marc-Etienne Vargenal<br />
* Brad Goldring<br />
* Alexios Zavras<br />
* Rich Steenwyk<br />
* Nirmal Suthar (GSoC student)<br />
* Joshua Marpet<br />
* Andrew Jorgensen (AWS)<br />
* Christian Long<br />
* Tiberius Hefflin<br />
* Paul Madick<br />
* Anshul<br />
* Jack Manbeck<br />
* Christina<br />
* Jeff Schutt (Cisco)<br />
* Jilayne Lovejoy<br />
* Steve Winslow<br />
* Christian Long<br />
* Emmerich<br />
* 2 people on phone where we did not catch the names<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2021-03-28T16:41:21Z<p>Goneall: /* Available Mentors */</p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2021 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
=== Migrate SPDX Online Tools to DJango3 ===<br />
Migrate the SPDX online tools to later versions of Django and upgrade dependencies (such as Django Social Auth) to later version to support better / more secure authentication to Github. In addition to migrating to DJango 3, additional issues can be taken on to create a full GSoC project (see the list below).<br />
<br />
====Skills Needed====<br />
* Experience with Python3 programming<br />
* Familiar with Django framework<br />
<br />
====Background Information====<br />
The SPDX Online Tools are currently being migrated to Python3. Several libraries can now be upgraded to more supportable versions including DJango. There are some known issues with the current version of Django Social Auth which would be resolved by upgrading the versions. There may be additional libraries which can be upgraded. There is also an opportunity to improve the structure and unit tests for the online tools if time allows. See the [https://github.com/spdx/spdx-online-tools/tree/rtgdk_python3 Python3 Branch] of the SPDX online tools for the current state of the Python3 migration.<br />
<br />
Additional tasks and issues can can be included in a project (in priority order):<br />
* Migrate project to python3 and Django3 [https://github.com/spdx/spdx-online-tools/issues/58 issue 50] and [https://github.com/spdx/spdx-online-tools/issues/24 issue 24]<br />
* [https://github.com/spdx/spdx-online-tools/issues/287 Merge app and api code]<br />
* Fix and improve test [https://github.com/spdx/spdx-online-tools/issues/201 issue 201] [https://github.com/spdx/spdx-online-tools/issues/282 issue 282], [https://github.com/spdx/spdx-online-tools/issues/202 issue 202] + others<br />
* [https://github.com/spdx/spdx-online-tools/issues/299 Add a submit via mail functionality to license submittal]<br />
* [https://github.com/spdx/spdx-online-tools/issues/218 Store license diff screenshot in database instead of uploading to github]<br />
* [https://github.com/spdx/spdx-online-tools/issues/157 Improve error message when error received from the Java code]<br />
* [https://github.com/spdx/spdx-online-tools/issues/186 Add a License Diff section to the SPDX Online Tool]<br />
* [https://github.com/spdx/spdx-online-tools/issues/91 API documentation tool]<br />
* API for license namespace <br />
* [https://github.com/spdx/spdx-online-tools/issues/204 Move to Github Apps and improvement for production]<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:anshuldutt21@gmail.com Anshul Dutt Sharma] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Migrate Python Tools to Python 3 ===<br />
Migrate the [https://github.com/spdx/tools-python SPDX Python Tools] to Python 3 including all unit testing. In addition, additional known issues raised on GitHub may be tackled.<br />
<br />
====Skills Needed====<br />
* Experience with Python3 programming<br />
* Knowledge of parsing algorithms<br />
<br />
====Background Information====<br />
The Python tools are command-line tools and a library that implement reading and writing of SPDX files in different formats, as well as converting and validating SPDX files.<br />
The current implementation uses Python 2, which is no longer supported.<br />
In addition to migration, some additional tasks may be taken on to improve the supportability of the library. In particular, restructuring the code to separate out the different serialization formats (see [https://github.com/spdx/tools-python/issues/147 issue 147]).<br />
<br />
====Available Mentors====<br />
[mailto:santiago@nyu.edu Santiago Torres Arias] [mailto:alexios.zavras@intel.com Alexios Zavras] [mailto:anshuldutt21@gmail.com Anshul Dutt Sharma]<br />
<br />
=== RDF Writer for Golang ===<br />
Gordf supports writing rdf triples to rdf file. Create an interface that would take in a SPDX document and generate RDF triples out of it. Which will then be consumed by the gordf to generate a RDF/xml file.<br />
<br />
====Skills Needed====<br />
* Knowledge of RDF<br />
* Skills in XML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
RDF/XML is one of the supported formats for SPDX documents. Creating an RDFWriter would create a generally useful facility for Golang and provide a more modular structure for the SPDX Golang tools.<br />
<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar]<br />
<br />
=== YAML Support for Golang libraries ===<br />
YAML is one of the supported formats for SPDX. This project is to add support for reading and writing YAML to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of YAML<br />
* Skills in YAML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== JSON Support for Golang libraries ===<br />
JSON is one of the supported formats for SPDX. This project is to add support for reading and writing JSON to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of JSON<br />
* Skills in JSON parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX specification.<br />
<br />
=== Generate a JSON Representation of the Specification from Structured Markdown ===<br />
Convert a consistently structured Markdown file into a JSON structure following a well defined schema. Changes to an existing Markdown file should update the JSON files. The Markdown will have a well defined structure to allow for translation of the text in Markdown to the properties of the JSON file. The conversion will also validate that the Markdown follows the required specification. The conversion would be run as part of a Github action for the SPDX specification.<br />
<br />
====Skills Needed====<br />
* Skills in writing parsing algorithms (e.g. working with [https://en.wikipedia.org/wiki/Abstract_syntax_tree Abstract Syntax Tree])<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of Markdown and JSON syntax<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://github.github.com/gfm/ GitHub flavored Markdown]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1LN5CepVVOu38w4pXeLpw_3BDNn2CKAWUyTVdlh8C2WM/edit?usp=sharing Template for Spec Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1J6P3q6wcP0c1xquTIfMfIBJCa8S1xtkhDs6dD1hSf4Y/edit?usp=sharing Example spec JSON file] (work in progress)<br />
* [https://docs.google.com/document/d/1OF_EqfU4tLPF-oGheEZ1aCzsnGIJHyRptzQ_U7AA-wY/edit?usp=sharing Draft JSON schema] (work in progress)<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== Generate RDF/OWL from from JSON specification format ===<br />
Convert a set of JSON files into a Web Ontology Language XML document. The JSON file will map to the elements and attributes of the RDF/OWL XML file. The JSON schema will be defined prior to the project start and will be consistent with the "Generate a JSON Representation of the Specification from Structured Markdown" project described above.<br />
<br />
====Skills Needed====<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of RDF/OWL/XML formats<br />
* Knowledge of JSON parsers<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://www.w3.org/TR/2004/NOTE-owl-parsing-20040121/ RDF OWL parsing notes from the W3C]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://github.com/spdx/spdx-spec/blob/development/v2.2.1/ontology/spdx-ontology.owl.xml Current RDF/OWL document for SPDX spec]<br />
* [https://docs.google.com/document/d/1LN5CepVVOu38w4pXeLpw_3BDNn2CKAWUyTVdlh8C2WM/edit?usp=sharing Template for Spec Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1J6P3q6wcP0c1xquTIfMfIBJCa8S1xtkhDs6dD1hSf4Y/edit?usp=sharing Example spec JSON file] (work in progress)<br />
* [https://docs.google.com/document/d/1OF_EqfU4tLPF-oGheEZ1aCzsnGIJHyRptzQ_U7AA-wY/edit?usp=sharing Draft JSON schema] (work in progress)<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2021-03-28T16:41:00Z<p>Goneall: /* Available Mentors */</p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2021 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
=== Migrate SPDX Online Tools to DJango3 ===<br />
Migrate the SPDX online tools to later versions of Django and upgrade dependencies (such as Django Social Auth) to later version to support better / more secure authentication to Github. In addition to migrating to DJango 3, additional issues can be taken on to create a full GSoC project (see the list below).<br />
<br />
====Skills Needed====<br />
* Experience with Python3 programming<br />
* Familiar with Django framework<br />
<br />
====Background Information====<br />
The SPDX Online Tools are currently being migrated to Python3. Several libraries can now be upgraded to more supportable versions including DJango. There are some known issues with the current version of Django Social Auth which would be resolved by upgrading the versions. There may be additional libraries which can be upgraded. There is also an opportunity to improve the structure and unit tests for the online tools if time allows. See the [https://github.com/spdx/spdx-online-tools/tree/rtgdk_python3 Python3 Branch] of the SPDX online tools for the current state of the Python3 migration.<br />
<br />
Additional tasks and issues can can be included in a project (in priority order):<br />
* Migrate project to python3 and Django3 [https://github.com/spdx/spdx-online-tools/issues/58 issue 50] and [https://github.com/spdx/spdx-online-tools/issues/24 issue 24]<br />
* [https://github.com/spdx/spdx-online-tools/issues/287 Merge app and api code]<br />
* Fix and improve test [https://github.com/spdx/spdx-online-tools/issues/201 issue 201] [https://github.com/spdx/spdx-online-tools/issues/282 issue 282], [https://github.com/spdx/spdx-online-tools/issues/202 issue 202] + others<br />
* [https://github.com/spdx/spdx-online-tools/issues/299 Add a submit via mail functionality to license submittal]<br />
* [https://github.com/spdx/spdx-online-tools/issues/218 Store license diff screenshot in database instead of uploading to github]<br />
* [https://github.com/spdx/spdx-online-tools/issues/157 Improve error message when error received from the Java code]<br />
* [https://github.com/spdx/spdx-online-tools/issues/186 Add a License Diff section to the SPDX Online Tool]<br />
* [https://github.com/spdx/spdx-online-tools/issues/91 API documentation tool]<br />
* API for license namespace <br />
* [https://github.com/spdx/spdx-online-tools/issues/204 Move to Github Apps and improvement for production]<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:anshuldutt21@gmail.com Anshul Dutt Sharma] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Migrate Python Tools to Python 3 ===<br />
Migrate the [https://github.com/spdx/tools-python SPDX Python Tools] to Python 3 including all unit testing. In addition, additional known issues raised on GitHub may be tackled.<br />
<br />
====Skills Needed====<br />
* Experience with Python3 programming<br />
* Knowledge of parsing algorithms<br />
<br />
====Background Information====<br />
The Python tools are command-line tools and a library that implement reading and writing of SPDX files in different formats, as well as converting and validating SPDX files.<br />
The current implementation uses Python 2, which is no longer supported.<br />
In addition to migration, some additional tasks may be taken on to improve the supportability of the library. In particular, restructuring the code to separate out the different serialization formats (see [https://github.com/spdx/tools-python/issues/147 issue 147]).<br />
<br />
====Available Mentors====<br />
[mailto:santiago@nyu.edu Santiago Torres Arias] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== RDF Writer for Golang ===<br />
Gordf supports writing rdf triples to rdf file. Create an interface that would take in a SPDX document and generate RDF triples out of it. Which will then be consumed by the gordf to generate a RDF/xml file.<br />
<br />
====Skills Needed====<br />
* Knowledge of RDF<br />
* Skills in XML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
RDF/XML is one of the supported formats for SPDX documents. Creating an RDFWriter would create a generally useful facility for Golang and provide a more modular structure for the SPDX Golang tools.<br />
<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar]<br />
<br />
=== YAML Support for Golang libraries ===<br />
YAML is one of the supported formats for SPDX. This project is to add support for reading and writing YAML to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of YAML<br />
* Skills in YAML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== JSON Support for Golang libraries ===<br />
JSON is one of the supported formats for SPDX. This project is to add support for reading and writing JSON to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of JSON<br />
* Skills in JSON parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX specification.<br />
<br />
=== Generate a JSON Representation of the Specification from Structured Markdown ===<br />
Convert a consistently structured Markdown file into a JSON structure following a well defined schema. Changes to an existing Markdown file should update the JSON files. The Markdown will have a well defined structure to allow for translation of the text in Markdown to the properties of the JSON file. The conversion will also validate that the Markdown follows the required specification. The conversion would be run as part of a Github action for the SPDX specification.<br />
<br />
====Skills Needed====<br />
* Skills in writing parsing algorithms (e.g. working with [https://en.wikipedia.org/wiki/Abstract_syntax_tree Abstract Syntax Tree])<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of Markdown and JSON syntax<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://github.github.com/gfm/ GitHub flavored Markdown]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1LN5CepVVOu38w4pXeLpw_3BDNn2CKAWUyTVdlh8C2WM/edit?usp=sharing Template for Spec Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1J6P3q6wcP0c1xquTIfMfIBJCa8S1xtkhDs6dD1hSf4Y/edit?usp=sharing Example spec JSON file] (work in progress)<br />
* [https://docs.google.com/document/d/1OF_EqfU4tLPF-oGheEZ1aCzsnGIJHyRptzQ_U7AA-wY/edit?usp=sharing Draft JSON schema] (work in progress)<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== Generate RDF/OWL from from JSON specification format ===<br />
Convert a set of JSON files into a Web Ontology Language XML document. The JSON file will map to the elements and attributes of the RDF/OWL XML file. The JSON schema will be defined prior to the project start and will be consistent with the "Generate a JSON Representation of the Specification from Structured Markdown" project described above.<br />
<br />
====Skills Needed====<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of RDF/OWL/XML formats<br />
* Knowledge of JSON parsers<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://www.w3.org/TR/2004/NOTE-owl-parsing-20040121/ RDF OWL parsing notes from the W3C]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://github.com/spdx/spdx-spec/blob/development/v2.2.1/ontology/spdx-ontology.owl.xml Current RDF/OWL document for SPDX spec]<br />
* [https://docs.google.com/document/d/1LN5CepVVOu38w4pXeLpw_3BDNn2CKAWUyTVdlh8C2WM/edit?usp=sharing Template for Spec Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1J6P3q6wcP0c1xquTIfMfIBJCa8S1xtkhDs6dD1hSf4Y/edit?usp=sharing Example spec JSON file] (work in progress)<br />
* [https://docs.google.com/document/d/1OF_EqfU4tLPF-oGheEZ1aCzsnGIJHyRptzQ_U7AA-wY/edit?usp=sharing Draft JSON schema] (work in progress)<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2021-03-24T20:59:39Z<p>Goneall: </p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2021 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
=== Migrate SPDX Online Tools to DJango3 ===<br />
Migrate the SPDX online tools to later versions of Django and upgrade dependencies (such as Django Social Auth) to later version to support better / more secure authentication to Github. In addition to migrating to DJango 3, additional issues can be taken on to create a full GSoC project (see the list below).<br />
<br />
====Skills Needed====<br />
* Experience with Python3 programming<br />
* Familiar with Django framework<br />
<br />
====Background Information====<br />
The SPDX Online Tools are currently being migrated to Python3. Several libraries can now be upgraded to more supportable versions including DJango. There are some known issues with the current version of Django Social Auth which would be resolved by upgrading the versions. There may be additional libraries which can be upgraded. There is also an opportunity to improve the structure and unit tests for the online tools if time allows. See the [https://github.com/spdx/spdx-online-tools/tree/rtgdk_python3 Python3 Branch] of the SPDX online tools for the current state of the Python3 migration.<br />
<br />
Additional tasks and issues can can be included in a project (in priority order):<br />
* Migrate project to python3 and Django3 [https://github.com/spdx/spdx-online-tools/issues/58 issue 50] and [https://github.com/spdx/spdx-online-tools/issues/24 issue 24]<br />
* [https://github.com/spdx/spdx-online-tools/issues/287 Merge app and api code]<br />
* Fix and improve test [https://github.com/spdx/spdx-online-tools/issues/201 issue 201] [https://github.com/spdx/spdx-online-tools/issues/282 issue 282], [https://github.com/spdx/spdx-online-tools/issues/202 issue 202] + others<br />
* [https://github.com/spdx/spdx-online-tools/issues/299 Add a submit via mail functionality to license submittal]<br />
* [https://github.com/spdx/spdx-online-tools/issues/218 Store license diff screenshot in database instead of uploading to github]<br />
* [https://github.com/spdx/spdx-online-tools/issues/157 Improve error message when error received from the Java code]<br />
* [https://github.com/spdx/spdx-online-tools/issues/186 Add a License Diff section to the SPDX Online Tool]<br />
* [https://github.com/spdx/spdx-online-tools/issues/91 API documentation tool]<br />
* API for license namespace <br />
* [https://github.com/spdx/spdx-online-tools/issues/204 Move to Github Apps and improvement for production]<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Migrate Python Tools to Python 3 ===<br />
Migrate the [https://github.com/spdx/tools-python SPDX Python Tools] to Python 3 including all unit testing. In addition to migrating to Python 3, additional issues can be taken on to create a full GSoC project (See the issues in the Python Tools project).<br />
<br />
====Skills Needed====<br />
* Experience with Python3 programming<br />
* Knowledge of parsing algorithms<br />
<br />
====Background Information====<br />
The current Python libraries use Python 2 which is no longer supported. In addition to migration, some additional tasks may be taken on to improve the supportability of the library. In particular, restructuring the code to separate out the different serialization formats (see [https://github.com/spdx/tools-python/issues/147 issue 147]).<br />
<br />
====Available Mentors====<br />
[mailto:santiago@nyu.edu Santiago Torres Arias] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== RDF Writer for Golang ===<br />
Gordf supports writing rdf triples to rdf file. Create an interface that would take in a SPDX document and generate RDF triples out of it. Which will then be consumed by the gordf to generate a RDF/xml file.<br />
<br />
====Skills Needed====<br />
* Knowledge of RDF<br />
* Skills in XML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
RDF/XML is one of the supported formats for SPDX documents. Creating an RDFWriter would create a generally useful facility for Golang and provide a more modular structure for the SPDX Golang tools.<br />
<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar]<br />
<br />
=== YAML Support for Golang libraries ===<br />
YAML is one of the supported formats for SPDX. This project is to add support for reading and writing YAML to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of YAML<br />
* Skills in YAML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== JSON Support for Golang libraries ===<br />
JSON is one of the supported formats for SPDX. This project is to add support for reading and writing JSON to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of JSON<br />
* Skills in JSON parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX specification.<br />
<br />
=== Generate a JSON Representation of the Specification from Structured Markdown ===<br />
Convert a consistently structured Markdown file into a JSON structure following a well defined schema. Changes to an existing Markdown file should update the JSON files. The Markdown will have a well defined structure to allow for translation of the text in Markdown to the properties of the JSON file. The conversion will also validate that the Markdown follows the required specification. The conversion would be run as part of a Github action for the SPDX specification.<br />
<br />
====Skills Needed====<br />
* Skills in writing parsing algorithms (e.g. working with [https://en.wikipedia.org/wiki/Abstract_syntax_tree Abstract Syntax Tree])<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of Markdown and JSON syntax<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://github.github.com/gfm/ GitHub flavored Markdown]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1LN5CepVVOu38w4pXeLpw_3BDNn2CKAWUyTVdlh8C2WM/edit?usp=sharing Template for Spec Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1J6P3q6wcP0c1xquTIfMfIBJCa8S1xtkhDs6dD1hSf4Y/edit?usp=sharing Example spec JSON file] (work in progress)<br />
* [https://docs.google.com/document/d/1OF_EqfU4tLPF-oGheEZ1aCzsnGIJHyRptzQ_U7AA-wY/edit?usp=sharing Draft JSON schema] (work in progress)<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== Generate RDF/OWL from from JSON specification format ===<br />
Convert a set of JSON files into a Web Ontology Language XML document. The JSON file will map to the elements and attributes of the RDF/OWL XML file. The JSON schema will be defined prior to the project start and will be consistent with the "Generate a JSON Representation of the Specification from Structured Markdown" project described above.<br />
<br />
====Skills Needed====<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of RDF/OWL/XML formats<br />
* Knowledge of JSON parsers<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://www.w3.org/TR/2004/NOTE-owl-parsing-20040121/ RDF OWL parsing notes from the W3C]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://github.com/spdx/spdx-spec/blob/development/v2.2.1/ontology/spdx-ontology.owl.xml Current RDF/OWL document for SPDX spec]<br />
* [https://docs.google.com/document/d/1LN5CepVVOu38w4pXeLpw_3BDNn2CKAWUyTVdlh8C2WM/edit?usp=sharing Template for Spec Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1J6P3q6wcP0c1xquTIfMfIBJCa8S1xtkhDs6dD1hSf4Y/edit?usp=sharing Example spec JSON file] (work in progress)<br />
* [https://docs.google.com/document/d/1OF_EqfU4tLPF-oGheEZ1aCzsnGIJHyRptzQ_U7AA-wY/edit?usp=sharing Draft JSON schema] (work in progress)<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2021-03-23T22:39:20Z<p>Goneall: /* Migrate SPDX Online Tools to DJango3 */</p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2021 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
=== Migrate SPDX Online Tools to DJango3 ===<br />
Migrate the SPDX online tools to later versions of Django and upgrade dependencies (such as Django Social Auth) to later version to support better / more secure authentication to Github. In addition to migrating to DJango 3, additional issues can be taken on to create a full GSoC project (see the list below).<br />
<br />
====Skills Needed====<br />
* Experience with Python3 programming<br />
* Familiar with Django framework<br />
<br />
====Background Information====<br />
The SPDX Online Tools are currently being migrated to Python3. Several libraries can now be upgraded to more supportable versions including DJango. There are some known issues with the current version of Django Social Auth which would be resolved by upgrading the versions. There may be additional libraries which can be upgraded. There is also an opportunity to improve the structure and unit tests for the online tools if time allows. See the [https://github.com/spdx/spdx-online-tools/tree/rtgdk_python3 Python3 Branch] of the SPDX online tools for the current state of the Python3 migration.<br />
<br />
Additional tasks and issues can can be included in a project (in priority order):<br />
* Migrate project to python3 and Django3 [https://github.com/spdx/spdx-online-tools/issues/58 issue 50] and [https://github.com/spdx/spdx-online-tools/issues/24 issue 24]<br />
* [https://github.com/spdx/spdx-online-tools/issues/287 Merge app and api code]<br />
* Fix and improve test [https://github.com/spdx/spdx-online-tools/issues/201 issue 201] [https://github.com/spdx/spdx-online-tools/issues/282 issue 282], [https://github.com/spdx/spdx-online-tools/issues/202 issue 202] + others<br />
* [https://github.com/spdx/spdx-online-tools/issues/299 Add a submit via mail functionality to license submittal]<br />
* [https://github.com/spdx/spdx-online-tools/issues/218 Store license diff screenshot in database instead of uploading to github]<br />
* [https://github.com/spdx/spdx-online-tools/issues/157 Improve error message when error received from the Java code]<br />
* [https://github.com/spdx/spdx-online-tools/issues/186 Add a License Diff section to the SPDX Online Tool]<br />
* [https://github.com/spdx/spdx-online-tools/issues/91 API documentation tool]<br />
* API for license namespace <br />
* [https://github.com/spdx/spdx-online-tools/issues/204 Move to Github Apps and improvement for production]<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== RDF Writer for Golang ===<br />
Gordf supports writing rdf triples to rdf file. Create an interface that would take in a SPDX document and generate RDF triples out of it. Which will then be consumed by the gordf to generate a RDF/xml file.<br />
<br />
====Skills Needed====<br />
* Knowledge of RDF<br />
* Skills in XML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
RDF/XML is one of the supported formats for SPDX documents. Creating an RDFWriter would create a generally useful facility for Golang and provide a more modular structure for the SPDX Golang tools.<br />
<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar]<br />
<br />
=== YAML Support for Golang libraries ===<br />
YAML is one of the supported formats for SPDX. This project is to add support for reading and writing YAML to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of YAML<br />
* Skills in YAML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== JSON Support for Golang libraries ===<br />
JSON is one of the supported formats for SPDX. This project is to add support for reading and writing JSON to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of JSON<br />
* Skills in JSON parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX specification.<br />
<br />
=== Generate a JSON Representation of the Specification from Structured Markdown ===<br />
Convert a consistently structured Markdown file into a JSON structure following a well defined schema. Changes to an existing Markdown file should update the JSON files. The Markdown will have a well defined structure to allow for translation of the text in Markdown to the properties of the JSON file. The conversion will also validate that the Markdown follows the required specification. The conversion would be run as part of a Github action for the SPDX specification.<br />
<br />
====Skills Needed====<br />
* Skills in writing parsing algorithms (e.g. working with [https://en.wikipedia.org/wiki/Abstract_syntax_tree Abstract Syntax Tree])<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of Markdown and JSON syntax<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://github.github.com/gfm/ GitHub flavored Markdown]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1LN5CepVVOu38w4pXeLpw_3BDNn2CKAWUyTVdlh8C2WM/edit?usp=sharing Template for Spec Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1J6P3q6wcP0c1xquTIfMfIBJCa8S1xtkhDs6dD1hSf4Y/edit?usp=sharing Example spec JSON file] (work in progress)<br />
* [https://docs.google.com/document/d/1OF_EqfU4tLPF-oGheEZ1aCzsnGIJHyRptzQ_U7AA-wY/edit?usp=sharing Draft JSON schema] (work in progress)<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== Generate RDF/OWL from from JSON specification format ===<br />
Convert a set of JSON files into a Web Ontology Language XML document. The JSON file will map to the elements and attributes of the RDF/OWL XML file. The JSON schema will be defined prior to the project start and will be consistent with the "Generate a JSON Representation of the Specification from Structured Markdown" project described above.<br />
<br />
====Skills Needed====<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of RDF/OWL/XML formats<br />
* Knowledge of JSON parsers<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://www.w3.org/TR/2004/NOTE-owl-parsing-20040121/ RDF OWL parsing notes from the W3C]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://github.com/spdx/spdx-spec/blob/development/v2.2.1/ontology/spdx-ontology.owl.xml Current RDF/OWL document for SPDX spec]<br />
* [https://docs.google.com/document/d/1LN5CepVVOu38w4pXeLpw_3BDNn2CKAWUyTVdlh8C2WM/edit?usp=sharing Template for Spec Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1J6P3q6wcP0c1xquTIfMfIBJCa8S1xtkhDs6dD1hSf4Y/edit?usp=sharing Example spec JSON file] (work in progress)<br />
* [https://docs.google.com/document/d/1OF_EqfU4tLPF-oGheEZ1aCzsnGIJHyRptzQ_U7AA-wY/edit?usp=sharing Draft JSON schema] (work in progress)<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2021-03-10T19:31:55Z<p>Goneall: /* Background Information */</p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2021 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
=== Migrate SPDX Online Tools to DJango3 ===<br />
Migrate the SPDX online tools to later versions of Django and upgrade dependencies (such as Django Social Auth) to later version to support better / more secure authentication to Github.<br />
<br />
====Skills Needed====<br />
* Experience with Python3 programming<br />
* Familiar with Django framework<br />
<br />
====Background Information====<br />
The SPDX Online Tools are currently being migrated to Python3. Several libraries can now be upgraded to more supportable versions including DJango. There are some known issues with the current version of Django Social Auth which would be resolved by upgrading the versions. There may be additional libraries which can be upgraded. There is also an opportunity to improve the structure and unit tests for the online tools if time allows. See the [Python3 Branch https://github.com/spdx/spdx-online-tools/tree/rtgdk_python3] of the SPDX online tools for the current state of the Python3 migration.<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== RDF Writer for Golang ===<br />
Gordf supports writing rdf triples to rdf file. Create an interface that would take in a SPDX document and generate RDF triples out of it. Which will then be consumed by the gordf to generate a RDF/xml file.<br />
<br />
====Skills Needed====<br />
* Knowledge of RDF<br />
* Skills in XML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
RDF/XML is one of the supported formats for SPDX documents. Creating an RDFWriter would create a generally useful facility for Golang and provide a more modular structure for the SPDX Golang tools.<br />
<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar]<br />
<br />
=== YAML Support for Golang libraries ===<br />
YAML is one of the supported formats for SPDX. This project is to add support for reading and writing YAML to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of YAML<br />
* Skills in YAML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== JSON Support for Golang libraries ===<br />
JSON is one of the supported formats for SPDX. This project is to add support for reading and writing JSON to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of JSON<br />
* Skills in JSON parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX specification.<br />
<br />
=== Generate a JSON Representation of the Specification from Structured Markdown ===<br />
Convert a consistently structured Markdown file into a JSON structure following a well defined schema. Changes to an existing Markdown file should update the JSON files. The Markdown will have a well defined structure to allow for translation of the text in Markdown to the properties of the JSON file. The conversion will also validate that the Markdown follows the required specification. The conversion would be run as part of a Github action for the SPDX specification.<br />
<br />
====Skills Needed====<br />
* Skills in writing parsing algorithms (e.g. working with [https://en.wikipedia.org/wiki/Abstract_syntax_tree Abstract Syntax Tree])<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of Markdown and JSON syntax<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://github.github.com/gfm/ GitHub flavored Markdown]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1LN5CepVVOu38w4pXeLpw_3BDNn2CKAWUyTVdlh8C2WM/edit?usp=sharing Template for Spec Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1J6P3q6wcP0c1xquTIfMfIBJCa8S1xtkhDs6dD1hSf4Y/edit?usp=sharing Example spec JSON file] (work in progress)<br />
* [https://docs.google.com/document/d/1OF_EqfU4tLPF-oGheEZ1aCzsnGIJHyRptzQ_U7AA-wY/edit?usp=sharing Draft JSON schema] (work in progress)<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== Generate RDF/OWL from from JSON specification format ===<br />
Convert a set of JSON files into a Web Ontology Language XML document. The JSON file will map to the elements and attributes of the RDF/OWL XML file. The JSON schema will be defined prior to the project start and will be consistent with the "Generate a JSON Representation of the Specification from Structured Markdown" project described above.<br />
<br />
====Skills Needed====<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of RDF/OWL/XML formats<br />
* Knowledge of JSON parsers<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://www.w3.org/TR/2004/NOTE-owl-parsing-20040121/ RDF OWL parsing notes from the W3C]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://github.com/spdx/spdx-spec/blob/development/v2.2.1/ontology/spdx-ontology.owl.xml Current RDF/OWL document for SPDX spec]<br />
* [https://docs.google.com/document/d/1LN5CepVVOu38w4pXeLpw_3BDNn2CKAWUyTVdlh8C2WM/edit?usp=sharing Template for Spec Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1J6P3q6wcP0c1xquTIfMfIBJCa8S1xtkhDs6dD1hSf4Y/edit?usp=sharing Example spec JSON file] (work in progress)<br />
* [https://docs.google.com/document/d/1OF_EqfU4tLPF-oGheEZ1aCzsnGIJHyRptzQ_U7AA-wY/edit?usp=sharing Draft JSON schema] (work in progress)<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2021-03-10T19:31:17Z<p>Goneall: /* Background Information */</p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2021 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
=== Migrate SPDX Online Tools to DJango3 ===<br />
Migrate the SPDX online tools to later versions of Django and upgrade dependencies (such as Django Social Auth) to later version to support better / more secure authentication to Github.<br />
<br />
====Skills Needed====<br />
* Experience with Python3 programming<br />
* Familiar with Django framework<br />
<br />
====Background Information====<br />
The SPDX Online Tools are currently being migrated to Python3. Several libraries can now be upgraded to more supportable versions including DJango. There are some known issues with the current version of Django Social Auth which would be resolved by upgrading the versions. There may be additional libraries which can be upgraded. There is also an opportunity to improve the structure and unit tests for the online tools if time allows. See the [Python3 Branch https://github.com/spdx/spdx-online-tools/tree/rtgdk_python3] of the SPDX online tools for the current state of the Python3 migration.<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== RDF Writer for Golang ===<br />
Gordf supports writing rdf triples to rdf file. Create an interface that would take in a SPDX document and generate RDF triples out of it. Which will then be consumed by the gordf to generate a RDF/xml file.<br />
<br />
====Skills Needed====<br />
* Knowledge of RDF<br />
* Skills in XML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
RDF/XML is one of the supported formats for SPDX documents. Creating an RDFWriter would create a generally useful facility for Golang and provide a more modular structure for the SPDX Golang tools.<br />
<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar]<br />
<br />
=== YAML Support for Golang libraries ===<br />
YAML is one of the supported formats for SPDX. This project is to add support for reading and writing YAML to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of YAML<br />
* Skills in YAML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== JSON Support for Golang libraries ===<br />
JSON is one of the supported formats for SPDX. This project is to add support for reading and writing JSON to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of JSON<br />
* Skills in JSON parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX specification.<br />
<br />
=== Generate a JSON Representation of the Specification from Structured Markdown ===<br />
Convert a consistently structured Markdown file into a JSON structure following a well defined schema. Changes to an existing Markdown file should update the JSON files. The Markdown will have a well defined structure to allow for translation of the text in Markdown to the properties of the JSON file. The conversion will also validate that the Markdown follows the required specification. The conversion would be run as part of a Github action for the SPDX specification.<br />
<br />
====Skills Needed====<br />
* Skills in writing parsing algorithms (e.g. working with [https://en.wikipedia.org/wiki/Abstract_syntax_tree Abstract Syntax Tree])<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of Markdown and JSON syntax<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://github.github.com/gfm/ GitHub flavored Markdown]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1LN5CepVVOu38w4pXeLpw_3BDNn2CKAWUyTVdlh8C2WM/edit?usp=sharing Template for Spec Markdown] (work in progress)<br />
* [https://docs.google.com/document/d/1J6P3q6wcP0c1xquTIfMfIBJCa8S1xtkhDs6dD1hSf4Y/edit?usp=sharing Example spec JSON file] (work in progress)<br />
* [https://docs.google.com/document/d/1OF_EqfU4tLPF-oGheEZ1aCzsnGIJHyRptzQ_U7AA-wY/edit?usp=sharing Draft JSON schema] (work in progress)<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== Generate RDF/OWL from from JSON specification format ===<br />
Convert a set of JSON files into a Web Ontology Language XML document. The JSON file will map to the elements and attributes of the RDF/OWL XML file. The JSON schema will be defined prior to the project start and will be consistent with the "Generate a JSON Representation of the Specification from Structured Markdown" project described above.<br />
<br />
====Skills Needed====<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of RDF/OWL/XML formats<br />
* Knowledge of JSON parsers<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in GitHub as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://www.w3.org/TR/2004/NOTE-owl-parsing-20040121/ RDF OWL parsing notes from the W3C]<br />
* [https://json-schema.org/ JSON Schema] information site and its [https://tools.ietf.org/html/draft-bhutton-json-schema-00 current draft]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://github.com/spdx/spdx-spec/blob/development/v2.2.1/ontology/spdx-ontology.owl.xml Current RDF/OWL document for SPDX spec]<br />
* [https://github.com/spdx/spdx-spec/tree/development/v3.0/chapters Markdown for version 3.0] - subject to change as we specify the markdown constraints for this project<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2021-02-03T19:30:15Z<p>Goneall: </p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2021 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
=== Migrate SPDX Online Tools to DJango3 ===<br />
Migrate the SPDX online tools to later versions of Django and upgrade dependencies (such as Django Social Auth) to later version to support better / more secure authentication to Github.<br />
<br />
====Skills Needed====<br />
* Experience with Python3 programming<br />
* Familiar with Django framework<br />
<br />
====Background Information====<br />
The SPDX Online Tools are currently being migrated to Python3. Several libraries can now be upgraded to more supportable versions including DJango. There are some known issues with the current version of Django Social Auth which would be resolved by upgrading the versions. There may be additional libraries which can be upgraded. There is also an opportunity to improve the structure and unit tests for the online tools if time allows. See the [Python3 Branch https://github.com/spdx/spdx-online-tools/tree/rtgdk_python3] of the SPDX online tools for the current state of the Python3 migration.<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== RDF Writer for Golang ===<br />
Gordf supports writing rdf triples to rdf file. Create an interface that would take in a SPDX document and generate RDF triples out of it. Which will then be consumed by the gordf to generate a RDF/xml file.<br />
<br />
====Skills Needed====<br />
* Knowledge of RDF<br />
* Skills in XML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
RDF/XML is one of the supported formats for SPDX documents. Creating an RDFWriter would create a generally useful facility for Golang and provide a more modular structure for the SPDX Golang tools.<br />
<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar]<br />
<br />
=== YAML Support for Golang libraries ===<br />
YAML is one of the supported formats for SPDX. This project is to add support for reading and writing YAML to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of YAML<br />
* Skills in YAML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== JSON Support for Golang libraries ===<br />
JSON is one of the supported formats for SPDX. This project is to add support for reading and writing JSON to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of JSON<br />
* Skills in JSON parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.<br />
<br />
=== Generate a JSON Representation of the Specification from Structured Markdown ===<br />
Convert a consistently structured Markdown file into a JSON structure following a well defined schema. Changes to an existing Markdown file should update the JSON files. The Markdown will have a well defined structure to allow for translation of the text in Markdown to the properties of the JSON file. The conversion will also validate that the Markdown follows the required specification. The conversion would be run as part of a Github action for the SPDX specification.<br />
<br />
====Skills Needed====<br />
* Skills in writing parsing algorithms (e.g. working with [https://en.wikipedia.org/wiki/Abstract_syntax_tree Abstract Syntax Tree])<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of JSON parsers<br />
* Knowledge of Markdown syntax<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in Github as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://github.github.com/gfm/ Github flavored Markdown]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://github.com/spdx/spdx-spec/tree/development/v3.0/chapters Markdown for version 3.0] - subject to change as we specify the markdown constraints for this project<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== Generate RDF/OWL from from JSON specification format ===<br />
Convert a set of JSON files into a Web Ontology Language XML document. The JSON file will map to the elements and attributes of the RDF/OWL XML file. The JSON schema will be defined prior to the project start and will be consistent with the "Generate a JSON Representation of the Specification from Structured Markdown" project described above.<br />
<br />
====Skills Needed====<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of RDF/OWL/XML formats<br />
* Knowledge of JSON parsers<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in Github as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document. The conversion will be in 2 stages:<br />
* Convert from Markdown to an intermediate JSON format<br />
* Convert from the JSON format to RDF/OWL<br />
<br />
The specific schema for the JSON format is under development and planned to be available before the start of GSoC.<br />
<br />
Below are some additional resources for this project:<br />
* [https://www.w3.org/TR/2004/NOTE-owl-parsing-20040121/ RDF OWL parsing notes from the W3C]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://github.com/spdx/spdx-spec/blob/development/v2.2.1/ontology/spdx-ontology.owl.xml Current RDF/OWL document for SPDX spec]<br />
* [https://github.com/spdx/spdx-spec/tree/development/v3.0/chapters Markdown for version 3.0] - subject to change as we specify the markdown constraints for this project<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:alexios.zavras@intel.com Alexios Zavras]<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2021-02-02T22:09:18Z<p>Goneall: /* Proposed 2021 Projects */</p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2021 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
=== Migrate SPDX Online Tools to DJango3 ===<br />
Migrate the SPDX online tools to later versions of Django and upgrade dependencies (such as Django Social Auth) to later version to support better / more secure authentication to Github.<br />
<br />
====Skills Needed====<br />
* Experience with Python3 programming<br />
* Familiar with Django framework<br />
<br />
====Background Information====<br />
The SPDX Online Tools are currently being migrated to Python3. Several libraries can now be upgraded to more supportable versions including DJango. There are some known issues with the current version of Django Social Auth which would be resolved by upgrading the versions. There may be additional libraries which can be upgraded. There is also an opportunity to improve the structure and unit tests for the online tools if time allows. See the [Python3 Branch https://github.com/spdx/spdx-online-tools/tree/rtgdk_python3] of the SPDX online tools for the current state of the Python3 migration.<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Generate RDF/OWL/XML from Structured Markdown ===<br />
Convert a consistently structured Markdown file into a Web Ontology Language XML document. Changes to an existing Markdown file should update the OWL document. The Markdown will have a well defined structure to allow for translation of the text in Markdown to the elements and attributes of the RDF/OWL XML file. The conversion will also validate that the Markdown follows the required specification. The conversion would be run as part of a Github action for the SPDX specification.<br />
<br />
====Skills Needed====<br />
* Skills in writing parsing algorithms (e.g. working with [https://en.wikipedia.org/wiki/Abstract_syntax_tree Abstract Syntax Tree])<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of RDF/OWL/XML formats<br />
* Knowledge of Markdown syntax<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in Github as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document.<br />
<br />
Below are some additional resources for this project:<br />
* [https://www.w3.org/TR/2004/NOTE-owl-parsing-20040121/ RDF OWL parsing notes from the W3C]<br />
* [https://github.github.com/gfm/ Github flavored Markdown]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://github.com/spdx/spdx-spec/blob/development/v2.2.1/ontology/spdx-ontology.owl.xml Current RDF/OWL document for SPDX spec]<br />
* [https://github.com/spdx/spdx-spec/tree/development/v3.0/chapters Markdown for version 3.0] - subject to change as we specify the markdown constraints for this project<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== RDF Writer for Golang ===<br />
Gordf supports writing rdf triples to rdf file. Create an interface that would take in a SPDX document and generate RDF triples out of it. Which will then be consumed by the gordf to generate a RDF/xml file.<br />
<br />
====Skills Needed====<br />
* Knowledge of RDF<br />
* Skills in XML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
RDF/XML is one of the supported formats for SPDX documents. Creating an RDFWriter would create a generally useful facility for Golang and provide a more modular structure for the SPDX Golang tools.<br />
<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar]<br />
<br />
=== YAML Support for Golang libraries ===<br />
YAML is one of the supported formats for SPDX. This project is to add support for reading and writing YAML to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of YAML<br />
* Skills in YAML parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== JSON Support for Golang libraries ===<br />
JSON is one of the supported formats for SPDX. This project is to add support for reading and writing JSON to the Golang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of JSON<br />
* Skills in JSON parsing<br />
* Knowledge and experience in Golang<br />
<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-golang SPDX Golang tools repo] and the [https://github.com/spdx/gordf gordf library] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2021-02-02T18:02:05Z<p>Goneall: /* Proposed 2021 Projects */</p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2021 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
=== Generate RDF/OWL/XML from Structured Markdown ===<br />
Convert a consistently structured Markdown file into a Web Ontology Language XML document. Changes to an existing Markdown file should update the OWL document. The Markdown will have a well defined structure to allow for translation of the text in Markdown to the elements and attributes of the RDF/OWL XML file. The conversion will also validate that the Markdown follows the required specification. The conversion would be run as part of a Github action for the SPDX specification.<br />
<br />
====Skills Needed====<br />
* Skills in writing parsing algorithms (e.g. working with [https://en.wikipedia.org/wiki/Abstract_syntax_tree Abstract Syntax Tree])<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of RDF/OWL/XML formats<br />
* Knowledge of Markdown syntax<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in Github as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document.<br />
<br />
Below are some additional resources for this project:<br />
* [https://www.w3.org/TR/2004/NOTE-owl-parsing-20040121/ RDF OWL parsing notes from the W3C]<br />
* [https://github.github.com/gfm/ Github flavored Markdown]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://github.com/spdx/spdx-spec/blob/development/v2.2.1/ontology/spdx-ontology.owl.xml Current RDF/OWL document for SPDX spec]<br />
* [https://github.com/spdx/spdx-spec/tree/development/v3.0/chapters Markdown for version 3.0] - subject to change as we specify the markdown constraints for this project<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== RDF Writer for GoLang ===<br />
Gordf supports writing rdf triples to rdf file. Create an interface that would take in a SPDX document and generate RDF triples out of it. Which will then be consumed by the gordf to generate a RDF/xml file.<br />
<br />
====Skills Needed====<br />
* Knowledge of RDF<br />
* Skills in XML parsing<br />
* Knowledge and experience in GoLang<br />
<br />
====Background Information====<br />
RDF/XML is one of the supported formats for SPDX documents. Creating an RDFWriter would create a generally useful facility for GoLang and provide a more modular structure for the SPDX GoLang tools.<br />
<br />
See the [SPDX GoLang tools repo https://github.com/spdx/tools-golang] and the [gordf library https://github.com/spdx/gordf] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar]<br />
<br />
=== JSON Support for GoLang libraries ===<br />
JSON is one of the supported formats for SPDX. This project is to add support for reading and writing JSON to the GoLang libraries.<br />
<br />
====Skills Needed====<br />
* Knowledge of JSON<br />
* Skills in JSON parsing<br />
* Knowledge and experience in GoLang<br />
<br />
====Background Information====<br />
See the [SPDX GoLang tools repo https://github.com/spdx/tools-golang] and the [gordf library https://github.com/spdx/gordf] for more details on the current implementations.<br />
<br />
====Available Mentors====<br />
[mailto:bhatnagarrishabh4@gmail.com Rishabh Bhatnagar] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2021-01-31T20:49:27Z<p>Goneall: /* SPDX Workgroup Tooling Projects */</p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2021 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
=== Generate RDF/OWL/XML from Structured Markdown ===<br />
Convert a consistently structured Markdown file into a Web Ontology Language XML document. Changes to an existing Markdown file should update the OWL document. The Markdown will have a well defined structure to allow for translation of the text in Markdown to the elements and attributes of the RDF/OWL XML file. The conversion will also validate that the Markdown follows the required specification. The conversion would be run as part of a Github action for the SPDX specification.<br />
<br />
====Skills Needed====<br />
* Skills in writing parsing algorithms (e.g. working with [https://en.wikipedia.org/wiki/Abstract_syntax_tree Abstract Syntax Tree])<br />
* Knowledge and experience in the programming language chosen for the project (e.g. Java, JavaScript, Python)<br />
* Knowledge of RDF/OWL/XML formats<br />
* Knowledge of Markdown syntax<br />
<br />
====Background Information====<br />
The SPDX tech team works very collaboratively on the specification updates using markdown pages in Github as the primary documentation for the specification. RDF/OWL is used as the primary technical specification for the object model including relationships, cardinality, class structure, and other restrictions. There is a lot of overlap between the information in the Markdown and the information in the OWL document. To improve the quality and productivity of the specification work, the SPDX technical team has decided to add tooling for verification of the Markdown and conversion of any common information to the OWL document.<br />
<br />
Below are some additional resources for this project:<br />
* [https://www.w3.org/TR/2004/NOTE-owl-parsing-20040121/ RDF OWL parsing notes from the W3C]<br />
* [https://github.github.com/gfm/ Github flavored Markdown]<br />
* [https://docs.google.com/document/d/13PojpaFPdoKZ9Gyh_DEY-Rp7lldyMbSiGE3vCRQhR9M/edit# Results of process discussion]<br />
* [https://docs.google.com/document/d/1EGoAmKxPfmmlF3XV6fXwNmsCiFKLH83Bhh8_xrmGhko Analysis of RDF/OWL fields relative to Markdown] (work in progress)<br />
* [https://github.com/spdx/spdx-spec/blob/development/v2.2.1/ontology/spdx-ontology.owl.xml Current RDF/OWL document for SPDX spec]<br />
* [https://github.com/spdx/spdx-spec/tree/development/v3.0/chapters Markdown for version 3.0] - subject to change as we specify the markdown constraints for this project<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2020-12-28T17:20:22Z<p>Goneall: </p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2021 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
===Project ideas coming soon...===<br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2020-12-28T17:20:01Z<p>Goneall: </p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2020 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from 2019 can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
===Project ideas coming soon...===<br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2020-12-28T17:14:41Z<p>Goneall: /* Proposed 2020 Projects */</p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2020 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2021 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from last year can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
===Implement SPDX License Matching in Python===<br />
Implement as much of the SPDX License Matching Guidelines as practical in Python. This could replace the current Java implementation for the [http://13.57.134.254/app/check_license/ Check License] SPDX Online license checking tool.<br />
<br />
Following is a list of suggested features:<br />
* Provide an interface which will check text against a license template using the license matching guidelines<br />
* Provide an interface which will check text and return all matching SPDX listed license ID's<br />
* Provide an interface which takes 2 license texts as input and returns a boolean indicating if the 2 licenses match per the license matching guidelines<br />
* When there is not a match, provide a return value making it possible to describe where and why the license does not match<br />
<br />
====Background Information====<br />
* See the [https://spdx.org/spdx-license-list/matching-guidelines SPDX License Matching Guidelines] for a description of the guidelines<br />
* A technical description of the templates and license matching can be found in [https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe Appendix II] of the SPDX specification<br />
* A Java implementation can be found in Github [https://github.com/spdx/tools/blob/master/src/org/spdx/compare/LicenseCompareHelper.java SPDX Tools LicenseCompareHelper.java]<br />
* It's harder than you may think - the template language is a challenge to implement. Performance can be a challenge when matching a single text against hundreds of potential licenses. Reporting back where the missmatch occurs can also be a challenge.<br />
<br />
====Skills Needed==== <br />
* Development skills in the Python<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Generate Java SPDX Model Classes from XML XSD file ===<br />
In SPDX 3.0, we will be generating an XML XSD schema to define the model. This project idea is to use the XSD schema to generate a set of Java classes which represent the complete SPDX model. The generated classes would be used as part of a re-designed Java tool for SPDX. <br />
<br />
====Skills Needed====<br />
* Java programming skills<br />
* XML/XSD skills<br />
* Skills in code generation practices<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Background Information====<br />
* A proposed XSD for SPDX can be found on [https://github.com/mil-oss/spdx-xsd github]. Note: This is a very early proposal and would likely change significantly.<br />
* Current Java tools can be found on [https://github.com/spdx/tools SPDX Tools github page]<br />
* A rewrite of the Java tools is in progress. The in progress work can be found at the [https://github.com/goneall/Spdx-Java-Library Spdx-Java-Library] github page.<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Validate License Cross-References ===<br />
Enhance the SPDX LicenseListPublisher to validate the cross reference / seeAlso URL's for the license. One check would be to validate the link is still valid. This would need to be done in a way that has reasonably good performance (e.g. a long timeout would not work). Another check would be to identify the license text in the linked URL and compare it to the license text for the license itself to make sure they match. If either of these tests fail, a validity attribute should be added to the license output files (e.g. the license JSON files).<br />
<br />
====Skills Needed====<br />
* Java programming skills<br />
* XML/XSD skills<br />
* HTML parsing skills<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Background Information====<br />
The [https://spdx.org/licenses/ SPDX license list] is generated from a [https://github.com/spdx/license-list-XML git repository of XML files]. One of the fields maintained in the XML is the crossRef which is a URL cross reference for the license which may be valid or it may also be a "dead link". The [https://github.com/spdx/LicenseListPublisher LicenseListPublisher] is the tool that generates the web pages and the output formats. The output formats can be found in the [https://github.com/spdx/license-list-data SPDX license list data] git repository. [https://github.com/spdx/LicenseListPublisher/issues/60#issuecomment-570511697 Issue #60] for the LicenseListPublisher describes a request to include validity attribute.<br />
<br />
Over the summer, we may be adding the XML format to the supported output data formats in the license list data repo.<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== Improve SPDX Golang tooling ===<br />
The goal of this GSoC project would be to add support in the [https://github.com/spdx/tools-golang SPDX Golang tools] for SPDX documents in versions of the SPDX spec other than 2.1, including the upcoming 2.2 spec release which will add JSON, YAML and XML to the supported formats. Other work may include improving the validation and data model used by the Golang tools.<br />
<br />
====Skills Needed====<br />
* Go programming skills<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
The [https://github.com/spdx/tools-golang SPDX Golang tools] were initially designed to work with SPDX documents in tag-value format, for version 2.1 of [https://spdx.org/specifications the SPDX specification]. Currently it does not support earlier versions of the SPDX specification. Also, [https://github.com/spdx/spdx-spec/milestone/2 the upcoming 2.2 spec release], in addition to new data fields, will also add support for SPDX documents in JSON, YAML and XML formats. The Golang tools should (at a minimum) be updated to enable reading and writing in JSON and YAML.<br />
<br />
The SPDX Golang tools currently do some validation when reading and parsing SPDX documents, but they do not currently do much validation of the content itself. For example, license fields are represented as strings, but the tools do not currently check to confirm that e.g. the license identifiers are valid SPDX license expressions. Additional validation support to improve this would be beneficial.<br />
<br />
Additionally, the [https://github.com/spdx/tools-golang/tree/master/spdx data model used internally by the SPDX tools] to represent SPDX content is different in some ways from the data model used by other tools (e.g. [https://github.com/spdx/tools/tree/master/src/org/spdx/rdfparser/model Java], [https://github.com/spdx/tools-python/tree/master/spdx Python]). One goal for this project might be to evaluate the choices made by those other tools, and consider whether the Golang tools' data model should change to align with those.<br />
<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== GoLang Parallel RDF Parser ===<br />
Implement a high performance RDF parser for GoLang to support the SPDX RDF/XML format parsing and production.<br />
<br />
====Skills Needed====<br />
* GoLang programming skills<br />
* Knowledge of RDF<br />
* Knowledge of parsing algorithms<br />
<br />
====Background Information====<br />
As of now, there are very few known libraries in GoLang which support RDF-Parsing and are Licensed to use with an open-source project. One of them is [https://godoc.org/github.com/knakk/rdf](knakk/rdf2go). This library uses the RDF serialization format. All the current projects claiming to parse RDF files have implemented it in a linear fashion(line by line parsing) making it a repetitive and time-consuming process. This project will aim to chunk the RDF files into appropriate blocks and parse them simultaneously to reduce the effective time required to parse the entire document. The parser must conform to the SPDX-2.x version standards and have proper tests for each procedure.<br />
<br />
This project could be included as part of a larger project which includes other fixes to the GoLang tools (see the Improve GoLang tooling project idea above).<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== SPDX Plugins for Package Managers ===<br />
Create a native plug-in or extension to a well-known package manager to generate valid SPDX documents based on the information provided in the build metadata files. Examples of package managers include Node Package Manager (NPM), Gradle, Rust Cargo, Ruby Gems, Python pip, and Cocoa Pods. A plugin for Maven has already been developed and can be used as an example.<br />
<br />
The plugin should generate a valid SPDX document with minimal configuration required by the user.<br />
====Skills Needed====<br />
* Programming languages skills will depend on the package manager (e.g. Ruby for Ruby Gems, JavaScript for NPM)<br />
* Knowledge of package managers and build processes<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
====Background Information====<br />
SPDX produces a standard Bill of Materials for software containing package and license information. Package managers collect and manage much of the data needed to produce an SPDX document. Automatically generating SPDX documents in package managers will greatly increase the efficiency and adoption of SPDX.<br />
<br />
The [Maven Plugin]( https://github.com/spdx/spdx-maven-plugin) is a prototype plugin developed for the Maven build system. It can be used as an example for creating plugins for other build environments.<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:kstewart@linuxfoundation.org Kate Stewart] <br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-09-22Technical Team/Minutes/2020-09-222020-09-22T17:59:42Z<p>Goneall: Created page with "September 22, 2020 == Attendees == * Kate Stewart * Rishabh Bhatnagar * Nisha Kumar * William Bartholomew * Gary O’Neall * Steve Winslow * Thomas Steenbergen * David Kemp..."</p>
<hr />
<div>September 22, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Rishabh Bhatnagar<br />
* Nisha Kumar<br />
* William Bartholomew<br />
* Gary O’Neall<br />
* Steve Winslow<br />
* Thomas Steenbergen <br />
<br />
* David Kemp<br />
* Jim Hutchison<br />
* Peter Shin<br />
<br />
Topics:<br />
* Base Profile<br />
<br />
== Base Profile ==<br />
* Other profiles (legal and vulnerabilities/defects) are currently blocked on documentation structure<br />
* Need a basic structure to start from<br />
* Need to core basically be defined<br />
* How aligned is the spec with 3T?<br />
* Don’t want to wait for the entire base to be specified<br />
* We have a diagram for Base that is pretty close<br />
* Should we have a diagram for the other profiles?<br />
* Licensing isn’t currently blocked – using a Google doc with text to make progress<br />
** Format looks similar to the 2.2 spec text<br />
** Would like to move to Github which will require a format to be specified<br />
* Need to follow the ISO profile as far as format<br />
* How do we specify which profiles are in effect<br />
** Clause 6 – Document information<br />
* Should we use the 2.2 format?<br />
* Document structure is in Google Docs at https://docs.google.com/document/d/19pAxCjXER5c_tdAjIIqK2Ipz5AvirH81GQuG5CsP8wk/edit<br />
* Discussion on Artifact superclass<br />
** Package, File and Snippet are concrete classes based on Artifact<br />
** Artifact is abstract<br />
* Should we check into 3.0 branch?<br />
** Current 3.0 branch was done before Rex’s reformatting<br />
** Rename 3.0 branch and create a new branch based on 2.2.1<br />
** DCO BOT is enabled for the spec repo in the branch protection rules<br />
** William will create a new branch<br />
* Steve will start putting the license in the new branch once available<br />
* If anyone has an issue blocking their profile, they will add an issue<br />
* Nisha asked if the base profile fields are locked down or if they are open to changes<br />
** Not locked down – can add<br />
** Base will be rather minimal<br />
** Profiles should work out what they need and raise issues when they need something to base<br />
* Are we adding fields to relationships?<br />
* Are annotations going to be used for defects?<br />
* Need to describe problem statements as well as solutions<br />
* Create a label “Blocked” if a team is blocked in making progress<br />
* Create a label for each profile<br />
* Create a meta-issue for each profile – optional<br />
* Subteams would decide if they need a diagram – if so, extend the base diagram<br />
* When the spec is complete, each profile will have its own diagram based on the base profile<br />
** Uses draw.io (a.k.a. diagrams.net)<br />
** Draw.io file can be saved<br />
<br />
==Next Week==<br />
* Thursday is a joint tech team legal call<br />
* Tuesday may be a continuation of Thursday’s call<br />
* How interoperate between profile teams – if times allow<br />
** Diagrams<br />
*** Python class diagrams<br />
*** diagrams.net format<br />
*** Plant UML <br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-09-15Technical Team/Minutes/2020-09-152020-09-15T18:48:21Z<p>Goneall: Created page with "September 15, 2020 == Attendees == * Kate Stewart * Thomas Steenbergen * Gary O’Neall * David Kemp * Jim Hutchison * Peter Shin Topics: * Demo of new online tools ** names..."</p>
<hr />
<div>September 15, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Thomas Steenbergen <br />
* Gary O’Neall<br />
* David Kemp<br />
* Jim Hutchison<br />
* Peter Shin<br />
<br />
Topics:<br />
* Demo of new online tools<br />
** namespace followup with Mark, Philippe and Fossology<br />
* Document generation / XSD/ XML<br />
* Discussion on the capturing of facts vs opinions<br />
** relationship property<br />
** annotation type<br />
<br />
== Demo of new online tools ==<br />
* A test version of the online tools is available at http://52.32.53.255/<br />
* Walked through the functionality<br />
* Discussion on the namespace features<br />
** Organizations – can only be added by authorized users<br />
*** We could use this to help maintain who has the ability to add which organizations to license namespace<br />
** Request Mark Atwoord (Amazon), Philippe (NexB), and FOSSology to review the new namespace functionality<br />
<br />
==Schema Generation==<br />
* Overview of current process<br />
** RDF OWL document is the base format used to generate all other documents<br />
** OWL document is kept manually in sync with spec with the spec being the source of record<br />
* Desire to change process in the future<br />
** Automatically keep document and OWL documents in sync<br />
** Have a different mechanism for describing the constraints that is more convenient than OWL<br />
*** OMG is using OWL and SHACL<br />
*** SHAX is another possibility<br />
*** David is working on a graph language that may help – will keep us up to date<br />
<br />
==Facts vs Opinions in SPDX Documents==<br />
* Currently, principle stated that documents are focused on facts<br />
* Some of the proposals for new profile introduce things that are not necessary facts<br />
* Proposal to extend Relationship to include things that may not be facts<br />
* Proposal to add Annotations<br />
* Example – expiration information <br />
<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-09-08Technical Team/Minutes/2020-09-082020-09-08T18:05:39Z<p>Goneall: Created page with "September 8, 2020 == Attendees == * Thomas Steenbergen * Nisha Kumar * Gary O’Neall * David Kemp * William Bartholomew * Jim Hutchison * Steve Winslow Topics: * How do we..."</p>
<hr />
<div>September 8, 2020<br />
== Attendees ==<br />
* Thomas Steenbergen <br />
* Nisha Kumar<br />
* Gary O’Neall<br />
* David Kemp<br />
* William Bartholomew<br />
* Jim Hutchison<br />
* Steve Winslow<br />
<br />
Topics:<br />
* How do we best proceed on documenting the different profiles<br />
* Core 3T SBOM comparison<br />
<br />
== Core 3T SBOM comparison ==<br />
* Comparison of Core 3T model to Core SPDX model<br />
* Slides available at https://docs.google.com/presentation/d/1dvGeCAbOUSD5qFQ6mt1WsnBEZvatnonYpKGdAQCIWZg/edit#slide=id.g95424fd354_0_0 (NOTE: presentation starts a slide 8)<br />
* Similar models<br />
* Proposed changes to SPDX<br />
** Identity – add structured email field, add structured tool information<br />
* Relationship<br />
** Subclass of element – adds ID<br />
** add completeness enum<br />
*** Should completeness be put in a separate profile?<br />
*** General consensus on the call 95% of use cases will not use this so should be added as a profile<br />
*** Agreed to defer the decision until Kate is on the call – Kate has been working with NTIA on this<br />
*** David raised the point that completeness is an optional enumeration and may not complicate the model<br />
*** Desire to simplify by reducing the number of field definitions<br />
** Make the object independent of the 2 items being related<br />
* Package URL more fundamental – mandatory unique identifier<br />
** Expanded the URL to be and ArtifactURL – superset of PackageURL which can include other types of artifacts including hardware etc.<br />
** concern about representing non-public package distribution; PURL may not be mature enough for all use cases<br />
*** add to the PURL or ArtifactURL if it is missing<br />
*** Software heritage approach could be another alternative – less human readable<br />
*** Could we use the SPDX reference ID as a package URL<br />
* Additional HASH algorithms<br />
* Suggestion to create examples for various scenarios (e.g. here’s the source repository a binary artifact was built from)<br />
* Suggest that we also have “bad examples”<br />
* Nisha created a mock-up for a container as part of defining the linking profile<br />
** Describing the relationships between layers, manifests can be complicated<br />
** Difficulty in representing URL for container metadata<br />
** Dynamic systems that re-generate the artifacts<br />
** Proposal that the SBOM travel with the artifacts in the distributed systems<br />
<br />
==How to document different profiles==<br />
* ran out of time for this topic – moved to next week<br />
<br />
==Next Week==<br />
* Linkage profile update<br />
* Nisha to present challenges with adapting to the container / container registry work<br />
* How to document different profiles<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-08-25Technical Team/Minutes/2020-08-252020-08-25T18:04:44Z<p>Goneall: Created page with "August 25, 2020 == Attendees == * Kate Stewart * Thomas Steenbergen * Nisha Kumar * Gary O’Neall * Peter Shin * William Bartholomew * Jim Hutchison * Philippe Ombredanne T..."</p>
<hr />
<div>August 25, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Thomas Steenbergen <br />
* Nisha Kumar<br />
* Gary O’Neall<br />
* Peter Shin<br />
* William Bartholomew<br />
* Jim Hutchison<br />
* Philippe Ombredanne<br />
<br />
Topics:<br />
* Vulnerability Profiles<br />
* Identity<br />
* OpenChain Licensing group update – SPDX 3.0<br />
<br />
==Call with OpenChain Automotive Workgroup==<br />
* Thomas attended a meeting with the OpenChain Automotive Workgroup<br />
* Led my Endo-san<br />
* Proposal to create an automotive profile<br />
* Created a PR: PR #468 https://github.com/spdx/spdx-spec/pull/468<br />
* Several updates are in progress for the PR<br />
* Several enhancements to 3.0 requested<br />
** Need a product entity<br />
** Need a condition entity<br />
** Need defects<br />
*** Defects go against conditions<br />
** Which product is involved<br />
** Where in the lifecycle (e.g. prototype)<br />
* Questions on scope<br />
** Initial proposal would use SPDX for specifications communications back to supplier<br />
** Should that be in scope for SPDX?<br />
* Discussion on defects<br />
** Should we expand vulnerabilities to include functional defects, others?<br />
** Thomas suggested vulnerabilities are very similar to other types of defects<br />
** Relationship to patches<br />
* Desire to communicate document expiration or other way to include the concept of time<br />
** Should we have a time profile?<br />
** Stating a future expectation like “I will release a new version on xxx” may violate the principle of stating facts<br />
** would like to avoid modeling contractual relationship<br />
* Audience – who is the intended recipient?<br />
** Example OEM supplier may document information which is not intended to be communicated to end users<br />
** Steve suggested that the process used for communicating documents may provide the mechanism for what is communicated to whom<br />
<br />
==Identity==<br />
* Came out of the 3T SBOM comparison to SPDX<br />
* Current SPDX identity is a structured string (e.g. PERSON: (email))<br />
* Proposal to structure this as a separate class in SPDX 3.0 using person, organization and tool as subclasses<br />
** name and email would be properties<br />
** There may have been an identity type in the linking profile<br />
*** Nisha will check with Santiago<br />
* Nisha asked if there was a process to propose promoting a field from a profile to the base profile<br />
** Those proposals can be raised in the SPDX tech meeting<br />
** Wait until we see commonalities between profiles before promoting<br />
** This could be used for identity properties used in linking profile and perhaps vulnerabilities<br />
* No concerns about adding structure to the identity<br />
<br />
==Vulnerability Profiles==<br />
* 3T SBOM put vulnerabilities in the defects<br />
* Thomas presented the 3T defects spec<br />
** Similar structure to SPDX<br />
** Additional relationships<br />
* Proposal to use defects rather than vulnerabilities<br />
* Question on having defect types or subclasses<br />
* Could use different profiles for security defects vs. other types of defects<br />
* DefectRepsonse<br />
** Not necessarily a fact like a defect is a fact<br />
** Should have a relationship to defect<br />
** Examples – isAffectedBy – this would be a relationship and more fact based<br />
* Should state SPDX 3.0 design principles<br />
** Could start with the spec statements about scope for SPDX 2.2<br />
* Should Vulnerabilities be their own element or a “type” of defect?<br />
* Source – specify the source<br />
** Rating is likely related to the source<br />
** Suggestion to move the rating to the source<br />
** Score may change over time<br />
** Vulnerability creation time may be different than document creating time<br />
** From Peter: CVSS has an equation under the hood - Weight_for_base * base + weight_for_impact * impact + ….<br />
* Dependency Tree Profile proposal<br />
<br />
==Next Week==<br />
* SPDX 3.0 design principles (e.g. facts based, scope related)<br />
* Dependency Tree Profile proposal – or template<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-08-18Technical Team/Minutes/2020-08-182020-08-18T18:06:21Z<p>Goneall: Created page with "August 18, 2020 == Attendees == * Kate Stewart * Thomas Steenbergen * John Horan * Gary O’Neall * Peter Shin * Philippe Ombredanne Topics: * Google Summer of Code * Legal..."</p>
<hr />
<div>August 18, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Thomas Steenbergen <br />
* John Horan<br />
* Gary O’Neall<br />
* Peter Shin<br />
* Philippe Ombredanne<br />
<br />
Topics:<br />
* Google Summer of Code<br />
* Legal profile – continuing discussion<br />
* Gitlab support of SPDX<br />
<br />
==GSoC==<br />
* Philip’s project should be able to present next General meeting – Kate will arrange<br />
* Philippe will meet with Philip and check on progress<br />
<br />
==Legal Profile==<br />
* Communicating between tools<br />
** Example: How well was the match to the license – would be helpful for a tool to tool relationship<br />
** Issue – loss of information detail<br />
** Snippets don’t really work – will capture the line range, but isn’t always correct<br />
** Should it be simplified or include a lot of detail?<br />
** Thomas: I found this license in this file at this line number<br />
** Would like to communicate scanning results from Scancode to SW360<br />
** Would help with audits and detecting errors/bugs<br />
** All on the call it would be useful<br />
** Kate created a Google doc to track the license scanning tooling profile: https://docs.google.com/document/d/1p24qf2uNk5b1rU0m_Tvj2cD-lioFaaeJKh9PmnPbhwo/edit<br />
** Kate also added a dependency tree profiles: https://docs.google.com/document/d/1IfcSlrDou-8KLqkLr568DKGaQiHXmt_EFsZRfcf0Ej8/edit<br />
** Kate also created a Google doc for the vulnerabilities profile: https://docs.google.com/document/d/11S8FTG5zSwmH-o_Conp9-mkzWyOuxC_KXx3VNHlhbws/edit<br />
** Will also create an issue<br />
* Question on how to represent a source file: I have a question on how to handle declared license. If it's a short reference to a license, for example, how should SPDX or tool handle "See the license file" snippet. Should the SPDX handle it as a declared and none?<br />
** Thomas, Gary and Philippe think it would be declared, but the discussion in legal was interpreted as “None” or “LicenseRef-“ with the text found in the file<br />
* Discussion on having a primary license for a package<br />
** Philippe will propose an extension to the license expression<br />
** Introduce “PLUS” operator with the same semantics as AND except the expression to the left of the operator is the primary license for the package<br />
<br />
<br />
==Gitlab==<br />
* Gitlab jobs do not support SPDX<br />
* Issue logged at https://gitlab.com/gitlab-org/gitlab/-/issues/218521<br />
* Thomas requested support and comments on the issue in support of SPDX<br />
* Steve is active with Gitlab and should be able to help<br />
* Kate will add some pointers in the issue<br />
<br />
==DCO signoff on SPDX Spec==<br />
* Currently not enabled for the spec<br />
* Agreed we will enable the DCO BOT<br />
* Will be turn on Sept. 1<br />
* Kate will send out an email<br />
* Thomas will submit a PR<br />
<br />
==Next Week==<br />
* Vulnerabilities Profile<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-08-11Technical Team/Minutes/2020-08-112020-08-11T21:43:41Z<p>Goneall: Created page with "August 11, 2020 == Attendees == * Kate Stewart * Thomas Steenbergen * Steve Winslow * Jilayne Lovejoy * Steve Winslow * Gary O’Neall * Rose Judge * Peter Shin * Brad Goldri..."</p>
<hr />
<div>August 11, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Thomas Steenbergen <br />
* Steve Winslow<br />
* Jilayne Lovejoy<br />
* Steve Winslow<br />
* Gary O’Neall<br />
* Rose Judge<br />
* Peter Shin<br />
* Brad Goldring<br />
* John Horan<br />
* Rose Judge<br />
* Vicky Brasseur<br />
* William Bartolomew<br />
* Mark Atwood<br />
<br />
Topics:<br />
* Legal profile<br />
<br />
==Legal Profile==<br />
* Work being done in Google Docs https://docs.google.com/document/d/1k_2tSlFXvW_SbW-I1DcSEoCNBMQJd4FEFIQr6KCJuyU/edit#<br />
* Tried to keep section numbers same<br />
* Note: Has not been reviewed by the entire legal team – will review in upcoming legal team meeting<br />
* Normalized naming (e.g. references to Spdx Document rather than Spdx File)<br />
* Discussion on Declared License for Package – metadata<br />
** Thomas raised question on if the Artifact includes the metadata or if it is different<br />
** Discussion on the previous discussions<br />
*** Maven POM files was discussed previously and general agreement that the POM license info would be declared but not concluded<br />
*** POM file license information was not always accurate<br />
** Different scenarios discussed, general agreement that a binary distribution would be a different artifact from the bundle of source<br />
* Discussion on license information that is not completely in the file (e.g. jQuery which includes a link but not the license notice)<br />
** Some tools will fill in the actual license referred to<br />
* Should we document the examples for Declared and Concluded licenses?<br />
** Valuable information<br />
** More specific would be better, but would make it larger<br />
*** Would be nice to have some additional documentation somewhere<br />
** Generally agree to move from the specific fields to the intro for the section<br />
* Discussion on None field for license<br />
** Should the field be renamed NONE_FOUND?<br />
*** Concern it would break tools<br />
** General agreement that NONE means someone looked really hard for a license and couldn’t find one at all<br />
** In the case of “No Rights Reserved”, one would create a LicenseRef-<br />
* Discussion cookbook<br />
** Could create hover over in the spec<br />
*** Concern about accessibility<br />
* Replacing references to Disjunctive license with “OR”<br />
* Continue discussion on the Legal team this Thursday<br />
* What is the name of the profile for licensing?<br />
** “Licensing”<br />
* Discussion on associating copyright owner with license<br />
** Thomas has a requirement to associate the license with the copyright owners<br />
** Current SPDX does not have a mechanism to retain the associations<br />
** Could use snippets to retain the association between copyright owners and licenses for specific code<br />
<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-08-04Technical Team/Minutes/2020-08-042020-08-04T18:08:39Z<p>Goneall: Created page with "August 4, 2020 == Attendees == * Kate Stewart * Thomas Steenbergen * William Bartholomew * Steve Winslow * Gary O’Neall * Rose Judge * Peter Shin Topics: * SPDX 3.0 Docume..."</p>
<hr />
<div>August 4, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Thomas Steenbergen <br />
* William Bartholomew<br />
* Steve Winslow<br />
* Gary O’Neall<br />
* Rose Judge<br />
* Peter Shin<br />
<br />
Topics:<br />
* SPDX 3.0 Document Structure<br />
* GSoC Update<br />
* SPDX Online Tools<br />
* Security related – LF security<br />
<br />
==GSoC Update==<br />
* All students passed<br />
* Some issues making good progress on the generating Java code from XSD – more complex than we originally thought<br />
* Some issues with communications<br />
** Rishabh has been keeping a log on Google Docs which is a good practice<br />
** Kate will <br />
<br />
==SPDX Online Tools Web Application==<br />
* Funding goal for the SPDX online tools was achieved through community bridge<br />
** Enough funding for 14 months of hosting<br />
* See meta issue for current status and progress https://github.com/spdx/spdx-online-tools/issues/199<br />
* Request to add SPDX document – see issue https://github.com/spdx/spdx-online-tools/issues/209<br />
* Thomas is also looking for funding through ACT for ORT<br />
** Discussed possibility of sharing infrastructure<br />
** Thomas suggested using Lightsail rather than RDS for the PostgreSQL database<br />
<br />
==SPDX Document Structure==<br />
* Update to model<br />
** Added name to Artifact<br />
* Document proposal to break down into clauses<br />
** Constrained by ISO to not having sub-sections or clauses<br />
* Structure on subclasses<br />
** Suggested we having a naming standard for the clauses that indicate the subclasses<br />
* Structure<br />
* Moving external document references to the linking profile<br />
** Concern about requiring all the requirements of linking profile<br />
*** Possible 2 profiles, one for document linking and a stronger one for InToto<br />
** Concern about having required information for being able to link to a document<br />
*** General agreement<br />
*** Would like to simplify the approach language<br />
*** Several possible solutions including the PURL<br />
** SPDX Lite – should it be part of licensing or separate profile?<br />
** Suggestion to introduce pre-requisite profiles<br />
<br />
==Next Week==<br />
* Continue discussion on container SBOM relationships<br />
* Aug 11 Legal profile<br />
<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-07-28Technical Team/Minutes/2020-07-282020-07-28T20:17:34Z<p>Goneall: </p>
<hr />
<div>July 28, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Thomas Steenbergen <br />
* Rose Judge<br />
* Nisha Kumar<br />
* William Bartholomew<br />
* Steve Winslow<br />
* Gary O’Neall<br />
* Jim Hutchison<br />
* Peter Shin<br />
<br />
Topics:<br />
SPDX 3.0 Base Profile<br />
<br />
==SPDX 3.0 Base Profile==<br />
* Continuing discussion from last week on the model<br />
* relationship Model as it relates to container<br />
** There will be a large number of external references<br />
** Potential issue of sharability across different deployment<br />
** Keep the SBOM with the artifact – so there will be a lot of external document references<br />
* Snippets simplification proposal<br />
** Do we relax the guiding principles for using external definitions (e.g. pointer model)?<br />
*** Proposal to relax guiding principle to review existing standards but only adopt those that do not overly complicate the SPDX standard<br />
* Overview of Template for profiles<br />
** Discussion on how we represent the mandatory/optional requirements<br />
** Only change for an existing field is to make the field mandatory<br />
* Should we allow any arbitrary additional tools?<br />
** Allows for easy extension<br />
** Most tools will ignore what they don’t understand<br />
** Possible issue with allowing proprietary extensions which may not be helpful to the open standard<br />
** Validation may break<br />
** Different design principle from 2.0 where extensions are only in annotations and comments<br />
** Proposal to allow adding new profiles and new fields in point release<br />
*** General agreement<br />
** Appendix should be added to describe how the fields should be added<br />
* Model update – replaced string field of PackageName with “FromFile”<br />
** General agreement the update made sense – but is different from 2.0<br />
** Agreed on a different name – packageFile<br />
** Checksum would be in the file and can be removed from the Package as a property<br />
* Relationship model for containers (continued)<br />
** Do we support the decomposition of SBOM’s as described by Nisha<br />
*** General agreement and support<br />
*** Suggestion to add external reference location information to find the external documents<br />
<br />
==Next Week==<br />
* Continue discussion on container SBOM relationships<br />
* Aug 11 Legal profile<br />
<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-07-28Technical Team/Minutes/2020-07-282020-07-28T20:17:10Z<p>Goneall: Created page with "July 28, 2020 == Attendees == * Kate Stewart * Thomas Steenbergen * Rose Judge * Nisha Kumar * William Bartholomew * Steve Winslow * Gary O’Neall * Jim Hutchison Topics: S..."</p>
<hr />
<div>July 28, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Thomas Steenbergen <br />
* Rose Judge<br />
* Nisha Kumar<br />
* William Bartholomew<br />
* Steve Winslow<br />
* Gary O’Neall<br />
* Jim Hutchison<br />
<br />
Topics:<br />
SPDX 3.0 Base Profile<br />
<br />
==SPDX 3.0 Base Profile==<br />
* Continuing discussion from last week on the model<br />
* relationship Model as it relates to container<br />
** There will be a large number of external references<br />
** Potential issue of sharability across different deployment<br />
** Keep the SBOM with the artifact – so there will be a lot of external document references<br />
* Snippets simplification proposal<br />
** Do we relax the guiding principles for using external definitions (e.g. pointer model)?<br />
*** Proposal to relax guiding principle to review existing standards but only adopt those that do not overly complicate the SPDX standard<br />
* Overview of Template for profiles<br />
** Discussion on how we represent the mandatory/optional requirements<br />
** Only change for an existing field is to make the field mandatory<br />
* Should we allow any arbitrary additional tools?<br />
** Allows for easy extension<br />
** Most tools will ignore what they don’t understand<br />
** Possible issue with allowing proprietary extensions which may not be helpful to the open standard<br />
** Validation may break<br />
** Different design principle from 2.0 where extensions are only in annotations and comments<br />
** Proposal to allow adding new profiles and new fields in point release<br />
*** General agreement<br />
** Appendix should be added to describe how the fields should be added<br />
* Model update – replaced string field of PackageName with “FromFile”<br />
** General agreement the update made sense – but is different from 2.0<br />
** Agreed on a different name – packageFile<br />
** Checksum would be in the file and can be removed from the Package as a property<br />
* Relationship model for containers (continued)<br />
** Do we support the decomposition of SBOM’s as described by Nisha<br />
*** General agreement and support<br />
*** Suggestion to add external reference location information to find the external documents<br />
<br />
==Next Week==<br />
* Continue discussion on container SBOM relationships<br />
* Aug 11 Legal profile<br />
<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/General_Meeting/Minutes/2020-07-02General Meeting/Minutes/2020-07-022020-07-08T01:12:17Z<p>Goneall: Created page with "* Attendance: 11 * Lead by Gary O'Neall == Presentation - Google Summer of Code Project Concurrent RDF Parser - Rishabh Bhatnagar== * Presentation available at https://docs...."</p>
<hr />
<div>* Attendance: 11<br />
* Lead by Gary O'Neall<br />
<br />
== Presentation - Google Summer of Code Project Concurrent RDF Parser - Rishabh Bhatnagar==<br />
<br />
* Presentation available at https://docs.google.com/presentation/d/17LSMZMi6GXwmrCv7qIpQz6pbGdRjjdQQDdOqbVPqpR0/edit#slide=id.g822549bbf3_1_0<br />
* Demo available at https://gordf.herokuapp.com/<br />
* Rishabh-walked through the architecture of the plan for his GSoC project and how its going to work with golang<br />
* Can be used as a general RDF parser as well.<br />
<br />
== Tech Team Report - Kate / Gary ==<br />
* Spec update - Kate<br />
** 2.2.1 —> ISO see: https://spdx.github.io/spdx-spec/v2-draft/<br />
*** Any remaining issues please submit by 7/7, frozen after that.<br />
** 3.0 progress moving forward in joint calls.<br />
* Tools - Gary<br />
** 1st phase of coding for GSOC<br />
** Added community bridge program with 2 additional project<br />
*** 2 CB projects started - Python libraries and license matching algorithm in Python<br />
<br />
== Legal Team Report - Steve/Paul ==<br />
* Experimenting to use etherpad —> github repo. for the meeting minutes<br />
* Working towards 3.10 next release of License list<br />
* Joint meetings with tech on SPDX 3.0 licensing profile.<br />
<br />
== Outreach Team Report – Steve (Jack unable to attend) ==<br />
* Some issues for website has been fixed<br />
* Please log any issues into https://github.com/spdx/spdx-website/issues<br />
* Help is requested for review and any suggested fixes <br />
<br />
== Attendees ==<br />
<br />
* Gary O’Neall<br />
* Kate Stewart<br />
* Alexios Zavras<br />
* Steve Winslow<br />
* Rishabh Bhatnagar<br />
* Brad Goldring<br />
* Mark Atwood<br />
* Paul Madick<br />
* Rohit Lodha<br />
* Anisha Srivastava<br />
* Mark Baushke<br />
<br />
[[Category:General|Minutes]]<br />
[[Category:Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-07-07Technical Team/Minutes/2020-07-072020-07-08T00:59:49Z<p>Goneall: Created page with "July 7, 2020 == Attendees == * Kate Stewart * Thomas Steenbergen * Rex Jaeschke * Rose Judge * Jim Hutchison * David Kemp * Peter Shin * William Bartholomew * Steve Winslow *..."</p>
<hr />
<div>July 7, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Thomas Steenbergen <br />
* Rex Jaeschke<br />
* Rose Judge<br />
* Jim Hutchison<br />
* David Kemp<br />
* Peter Shin<br />
* William Bartholomew<br />
* Steve Winslow<br />
* Gary O’Neall<br />
<br />
Topics:<br />
GSoC Update<br />
Update on 2.2.1<br />
<br />
==GSoC Update==<br />
* All evalutations were turned in on time<br />
* All students passed<br />
* Two community bridge projects has started<br />
* Additional work being done on deployment for the SPDX online tools by students who had applied but not accepted<br />
* Kate mentioned a community bridge volunteer to help with UI related code<br />
** Smith’s project could use some help<br />
** Kate will introduce to Gary who will introduce to Smith<br />
<br />
==SPDX 2.2.1==<br />
* Thomas had a couple of issues <br />
* Steve created an issue with a number of cleanup items<br />
** Need to update the RDF OWL document and other ontology documents with the updated texts from 2.2.1<br />
*** Gary will update once everything is complete on the 2.2.1 text<br />
** Details recorded in Issue #424 https://github.com/spdx/spdx-spec/issues/454<br />
** Inconsistency in naming of section definitions<br />
*** Agreed to add “information section” to annotation and relationship sections both titles and definitions<br />
** Update cardinality<br />
** Differences from 2.2 to 2.1 is incorrect – Kate will update<br />
** Are meta tags referenced? <br />
*** Currently in bibliography<br />
* Discussion on Normative references – no change to spec<br />
* Issue with template text being inconsistent with what was used (Alexios submitted an issue)<br />
** Decided not to change it for 2.2.1 – we will address in 3.0<br />
<br />
==3.0 Base Update==<br />
* William presented update on Profiles and Linking<br />
* Question on if you can add fields from profiles that are not declared?<br />
** Additional fields would be allowed, but not required for profiles not declared<br />
<br />
<br />
==Next Week==<br />
* 3.0 Base Profile discussion<br />
<br />
Following week – joint legal call<br />
Week following that - Vulnerabilities<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-06-23Technical Team/Minutes/2020-06-232020-06-24T00:04:31Z<p>Goneall: Created page with "June 23, 2020 == Attendees == * Kate Stewart * Thomas Steenbergen * Rex Jaeschke * Takashi Ninjouji * Karsten Klein * Rose Judge * Nisha Kumar * Steve Winslow * Gary O’Neal..."</p>
<hr />
<div>June 23, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Thomas Steenbergen <br />
* Rex Jaeschke<br />
* Takashi Ninjouji<br />
* Karsten Klein<br />
* Rose Judge<br />
* Nisha Kumar<br />
* Steve Winslow<br />
* Gary O’Neall<br />
<br />
Topics:<br />
Update on 2.2.1<br />
<br />
==SPDX 2.2.1==<br />
* Spec available at https://spdx.github.io/spdx-spec/v2-draft/<br />
* Nearly complete<br />
* Rex provided an overview of the current state<br />
* Tables are now number<br />
** Need to add to the release checklist to renumber the tables before release<br />
* HTML tables styling was added<br />
** Thomas requested the styling be put in CSS rather than inline<br />
* ISO process may take up to a year<br />
** 3.0 may well be ready to release at the time 2.2.1 is ISO approved<br />
* Reviews for 2.2.1 – comments due by Tuesday 30 June<br />
** Preference to pull requests or add issue<br />
** File issue in the spec tagged with 2.2.1<br />
* SPDX 2.2 ontology diagram need to update to 2.2.1 in section 5.1<br />
* C.1 data model needs to update to 2.2.1<br />
* D.1 grammar needs to go in a code block<br />
* Gary will add a PR for the definitions section 3.x<br />
<br />
==SPDX as a Package Manifest==<br />
* Thomas added issue #439<br />
* Minimal version of SPDX that can be included in the root of a directory for code that does not use a standard package manager (e.g. C/C++ projects that use makefiles)<br />
* What do we use for the document namespace?<br />
* What if we want to add a PackageVerificationCode or have FilesAnalyzed=true?<br />
* Could it be applied to Go binaries?<br />
* Can we use SPDX lite?<br />
** Different use cases, are the fields the same?<br />
* This will not be an additional section of the spec, but more guidance to the users of ORT<br />
* Thomas also worked on an example for 3.0<br />
** An issue and PR will be added to the spec<br />
<br />
==Next Week==<br />
* No call next week due to Linux conference North America<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-06-16Technical Team/Minutes/2020-06-162020-06-16T20:47:23Z<p>Goneall: Created page with "June 16, 2020 == Attendees == * Kate Stewart * Jim Hutchison * Thomas Steenbergen * Rose Judge * Nisha Kumar * Peter Shin * Steve Winslow * Gary O’Neall Topics: Update on 2..."</p>
<hr />
<div>June 16, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Jim Hutchison<br />
* Thomas Steenbergen<br />
* Rose Judge<br />
* Nisha Kumar<br />
* Peter Shin<br />
* Steve Winslow<br />
* Gary O’Neall<br />
<br />
Topics:<br />
Update on 2.2.1<br />
GSoC<br />
SPDX Tools<br />
<br />
<br />
==SPDX 2.2.1==<br />
* Spec available at https://spdx.github.io/spdx-spec/v2-draft/<br />
* Kate gave a quick overview of the changes made so far<br />
* Mostly renumbering, reformatting to ISO specs<br />
* A lot of external references were broken – changed to local references<br />
* All – Please review the 2.2.1 spec and open issues for any problems found<br />
* Overall structure is now in place – we can start basing our 3.0 work on the 2.2.1 work<br />
<br />
==GSoC==<br />
* coding continues in Summer of Code.<br />
* Python expertise - active request for reviews. ** more bandwidth needed.<br />
** Kate will provide Daniel Beard intro to Philippe ang Gary to possibly help with the Python libraries <br />
* Rohit, Alexios, Gary - mentors for Community Bridge.<br />
<br />
==Serialization Formats==<br />
* non normative changes to sample/examples for bugs in 2.2 <br />
* Serialization formats outside of RDF/XML; <br />
* some different assumptions were being made.<br />
* Better to document this in the specification itself. <br />
* Approach and assumptions being made - examples applying.<br />
* Serialization examples and principles. <br />
* Bugs ok in 2.2.1 & enhancements `<br />
* Goal - use native format of JSON & YAML when possible<br />
** same vocabulary across all. <br />
** Exact case and spelling may differ due to different formats.<br />
** Stem of term would be consistent.<br />
** UML object model is abstract and not specific to any format.<br />
** Want JSON to look like “JSON” not something else.<br />
* Nisha: concern over incompatiblity with tool compatibility with different cases.<br />
** JSON allows plural forms on some array terms.<br />
** Singular to plural are not easy to code<br />
** Consistent casing structure.<br />
** Any tools that support more than one serialization format will have to deal with this.<br />
** Nisha: Question on the overall model. <br />
***Using RDF/XML document as source, but Alexios wrote a translator to standard OMG UML. <br />
*** TODO: Annex C needs to be updated from RDF —> UML Object Model; and include the diagram from Alexios.<br />
https://github.com/spdx/spdx-spec/blob/development/v2.2.1/ontology/SPDX-2.2-Simplified.png<br />
* Agreed on the following guiding principles for the different serialization formats<br />
** Consistent vocabulary across format<br />
** Consistent object model across formats (where feasible)<br />
** Serialization formats are optimized to for the formats (e.g. JSON will look natural to someone familiar with JSON)<br />
* We will document the different serialization formats in the spec in 3.0 in a similar fashion to tag/value and RDF/XML<br />
* We will add JSON and YAML examples to 2.2.1 or a 2.2.2 version of the spec depending on timing<br />
<br />
==Next Week’s Agenda==<br />
* June 23 - Security - Thomas “unblock thomas"<br />
* June 30 - Cancelled.<br />
* July 7 - BASE 3.0 - William<br />
* July 14 - Licensing Profile - Steve<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-06-09Technical Team/Minutes/2020-06-092020-06-11T21:06:23Z<p>Goneall: Created page with "June 9, 2020 == Attendees == * Kate Stewart * Jack Manbeck * John Mudge * Rex Jaeschke * 12066042189 * Brad Goldring * Emmanuel * Jilayne Lovejoy * Matija Suklje * Nisha Kumar..."</p>
<hr />
<div>June 9, 2020<br />
== Attendees ==<br />
* Kate Stewart<br />
* Jack Manbeck<br />
* John Mudge<br />
* Rex Jaeschke<br />
* 12066042189<br />
* Brad Goldring<br />
* Emmanuel<br />
* Jilayne Lovejoy<br />
* Matija Suklje<br />
* Nisha Kumar<br />
* Peter Shin<br />
* Rose Judge<br />
* Santiago Torres<br />
* Vicky Brasseur<br />
* Gary O’Neall<br />
* Mark Atwood<br />
<br />
Topics:<br />
Rex/John update on 2.2.1<br />
GSoC<br />
SPDX Tools<br />
<br />
<br />
==SPDX 2.2.1==<br />
* Update from Rex<br />
** 6 remaining issues<br />
*** Will be covered in a follow-up call with Kate. Any remaining issues will be brought to the group for next week<br />
** Question on formatting for the headings and the links<br />
*** Jack, Kate, Thomas, Rex and John will discuss offline<br />
<br />
==GSoC==<br />
* coding has started<br />
<br />
==Licensing Profile==<br />
* Meta issue #386 is tracking all the license profile related issues<br />
* Consolidating issues for license profile issue #385<br />
** Collection of fields for license<br />
* Do we need a distributed license?<br />
** Both Jilayne and Steve believe that concluded license can be used<br />
*** This was the original intent of concluded license<br />
** Thomas expressed an interest in clearly declaring a non-disjunctive license at the point of distribution<br />
*** Different distributed licenses may be chosen for different customers<br />
** Documentation currently doesn’t capture the disjunctive choice scenario for concluded license<br />
** Concluded is currently used for both adding a reviewed conclusion on the license data and for the choice of disjunctive licenses<br />
** Brad suggested teasing apart the document creator and the artifact creator when defining distributed license<br />
* General support for moving to 2 fields for every artifact DeclaredLicense and ConcludedLicense<br />
* Use of the DistributedLicense needs more discussion<br />
** Description of use cases for DistributedLicense<br />
** Updated documentation for ConcludedLicense to include disjunctive choice<br />
** Documentation on Artifact<br />
<br />
==Next Week’s Agenda==<br />
* 2.2.1 update<br />
* GSoC<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/CommunityBridgeCommunityBridge2020-06-07T20:27:06Z<p>Goneall: /* Summer 2020 Process and Selection Criteria */</p>
<hr />
<div>= Community Bridge =<br />
<br />
These pages are dedicated to Community Bridge projects for SPDX.<br />
<br />
== Summer 2020 Process and Selection Criteria ==<br />
We now have funding and mentors available for up to 2 students. With over 50 applications, we will need to be very selective. <br />
<br />
Below is the process and the criteria we will use for selecting the student for this project:<br />
* Applications are now open for any student with proof of enrollment<br />
* The project is scheduled to start July 1 and run through end of September<br />
** Since the project workload is equivalent to full-time work, applicants should make sure that no other obligations (e.g. to school) would prevent them for dedicating this time to their project<br />
* Applicants should upload a project proposal to community bridge with the following information before June 15:<br />
** A description of the project and how it improves the SPDX online tools and benefits the SPDX community<br />
** A workplan describing the deliverables<br />
** 4 specific milestones at 25% 50%, 75% and 100% of the project timeline – these milestones will be basis for paying the student stipends throughout the project<br />
* Project ideas can be found on the Community Bridge Mentoring Project Ideas Page: https://wiki.spdx.org/view/CommunityBridge/CommunityBridge_ProjectIdeas<br />
** These reflect our current priorities, but are not restricting: we are open to any other project ideas applicants may propose<br />
* Selection will be based on 3 factors:<br />
** The project proposal<br />
** Contributions to any of the SPDX projects (all located under the SPDX GitHub organization): https://github.com/spdx<br />
** Contributions to other publicly available projects which use similar technologies (e.g. Python or Django projects)<br />
* A short list of candidates will be selected on the week of 15-19 June<br />
** Applicants not selected will be notified, so that they are freed to apply to other Community Bridge projects<br />
* The final candidates will be selected on the week of 22-26 June<br />
<br />
== SPDX Mentoring Projects ==<br />
<br />
The following are mentoring projects available on the Linux Foundation Community Bridge<br />
* [https://funding.communitybridge.org/projects/spdx-online-tools SPDX Online Tools]<br />
<br />
Project ideas can be found on the [[/CommunityBridge_ProjectIdeas | Community Bridge project ideas page]]</div>Goneallhttps://wiki.spdx.org/view/CommunityBridgeCommunityBridge2020-06-05T16:07:54Z<p>Goneall: </p>
<hr />
<div>= Community Bridge =<br />
<br />
These pages are dedicated to Community Bridge projects for SPDX.<br />
<br />
== Summer 2020 Process and Selection Criteria ==<br />
We now have funding and mentors available for up to 2 students. With over 50 applications, we will need to be very selective. Below is the process and the criteria we will use for selecting the student for this project:<br />
* Applications are now open for any student with proof of enrollment<br />
* The project is scheduled to start July 1 and run through end of September<br />
** Since the project workload is equivalent to full-time work, applicants should make sure that no other obligations (e.g. to school) would prevent them for dedicating this time to their project<br />
* Applicants should submit a project proposal with the following information:<br />
** A description of the project and how it improves the SPDX online tools and benefits the SPDX community<br />
** A workplan describing the deliverables<br />
** 4 specific milestones at 25% 50%, 75% and 100% of the project timeline – these milestones will be basis for paying the student stipends throughout the project<br />
* Project ideas can be found on the Community Bridge Mentoring Project Ideas Page: https://wiki.spdx.org/view/CommunityBridge/CommunityBridge_ProjectIdeas<br />
** These reflect our current priorities, but are not restricting: we are open to any other project ideas applicants may propose<br />
* Selection will be based on 3 factors:<br />
** The project proposal<br />
** Contributions to any of the SPDX projects (all located under the SPDX GitHub organization): https://github.com/spdx<br />
** Contributions to other publicly available projects which use similar technologies (e.g. Python or Django projects)<br />
* A short list of candidates will be selected on the week of 15-19 June<br />
** Applicants not selected will be notified, so that they are freed to apply to other Community Bridge projects<br />
* The final candidates will be selected on the week of 22-26 June<br />
<br />
== SPDX Mentoring Projects ==<br />
<br />
The following are mentoring projects available on the Linux Foundation Community Bridge<br />
* [https://funding.communitybridge.org/projects/spdx-online-tools SPDX Online Tools]<br />
<br />
Project ideas can be found on the [[/CommunityBridge_ProjectIdeas | Community Bridge project ideas page]]</div>Goneallhttps://wiki.spdx.org/view/CommunityBridge/CommunityBridge_ProjectIdeasCommunityBridge/CommunityBridge ProjectIdeas2020-06-04T17:55:30Z<p>Goneall: </p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2020 SPDX Community Bridge Project Ideas Page'''</span><br />
<br />
Proposals can use the [https://rtgdk.github.io/spdx-gsoc-proposal.html Google Summer of Code proposal template] as a general guide for community bridge projects.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
* [https://github.com/spdx SPDX Git Repository]<br />
<br />
=Proposed 2020 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
==SPDX Workgroup Tooling Projects== <br />
<br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
<br />
=== Replace Java Functions in the SPDX Online Tools with Python Library Functions ===<br />
Improve the performance and reliability of the SPDX Online Tools by replacing functions implemented in Java with native Python implementations. <br />
====Skills Needed====<br />
* Development skills in the Python<br />
* Based understanding of Java<br />
* Development skills in Django<br />
* Ability to work with the community in integrating results with other projects<br />
====Background Information====<br />
The [https://github.com/spdx/tools-python Python Tools] library can be used but will need to be extended and improved to replace the features. The Java implementations can be found in the [https://github.com/spdx/tools SPDX Java tools implementation]<br />
====Available Mentors====<br />
TBD<br />
<br />
=== Improve the Python Libraries ===<br />
The Python Libraries need to be updated to the SPDX 2.2 spec and there are several issues outstanding. <br />
====Skills Needed====<br />
* Development skills in the Python<br />
* Ability to work with the community in integrating results with other projects<br />
====Background Information====<br />
See the [https://github.com/spdx/tools-python/issues SPDX Python Tools Issues List] for more information.<br />
====Available Mentors====<br />
TBD<br />
<br />
=== Improve the Deployment Infrastructure for the SPDX Online Tools ===<br />
Improve the reliability, security and deployability of the SPDX online tools including container management, deployment testing and monitoring.<br />
====Skills Needed====<br />
* Development skills in Python and Django<br />
* Experience with containers<br />
* Understanding of software as a service deployment<br />
====Background Information====<br />
The current SPDX online tools is deployed manually on an Amazon AWS EC2 Linux instance. The current process is error prone and labor intensive. We would like to move to a more automated and reliable mechanism. There is a variety of possible deployment architectures including a container based approach using Kubernetes. <br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] TBD<br />
<br />
===Implement SPDX License Matching in Python===<br />
Implement as much of the SPDX License Matching Guidelines as practical in Python. This could replace the current Java implementation for the [http://13.57.134.254/app/check_license/ Check License] SPDX Online license checking tool.<br />
<br />
Following is a list of suggested features:<br />
* Provide an interface which will check text against a license template using the license matching guidelines<br />
* Provide an interface which will check text and return all matching SPDX listed license ID's<br />
* Provide an interface which takes 2 license texts as input and returns a boolean indicating if the 2 licenses match per the license matching guidelines<br />
* When there is not a match, provide a return value making it possible to describe where and why the license does not match<br />
<br />
====Background Information====<br />
* See the [https://spdx.org/spdx-license-list/matching-guidelines SPDX License Matching Guidelines] for a description of the guidelines<br />
* A technical description of the templates and license matching can be found in [https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe Appendix II] of the SPDX specification<br />
* A Java implementation can be found in Github [https://github.com/spdx/tools/blob/master/src/org/spdx/compare/LicenseCompareHelper.java SPDX Tools LicenseCompareHelper.java]<br />
* It's harder than you may think - the template language is a challenge to implement. Performance can be a challenge when matching a single text against hundreds of potential licenses. Reporting back where the missmatch occurs can also be a challenge.<br />
<br />
====Skills Needed==== <br />
* Development skills in the Python<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]</div>Goneallhttps://wiki.spdx.org/view/CommunityBridge/CommunityBridge_ProjectIdeasCommunityBridge/CommunityBridge ProjectIdeas2020-06-04T17:06:24Z<p>Goneall: </p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2020 SPDX Community Bridge Project Ideas Page'''</span><br />
<br />
Proposals can use the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] as a guide for community bridge projects.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2020 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
==SPDX Workgroup Tooling Projects== <br />
<br />
=== Replace Java Functions in the SPDX Online Tools with Python Library Functions ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
=== Improve the Python Libraries ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
=== Improve the Deployment Infrastructure for the SPDX Online Tools ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
===Implement SPDX License Matching in Python===<br />
Implement as much of the SPDX License Matching Guidelines as practical in Python. This could replace the current Java implementation for the [http://13.57.134.254/app/check_license/ Check License] SPDX Online license checking tool.<br />
<br />
Following is a list of suggested features:<br />
* Provide an interface which will check text against a license template using the license matching guidelines<br />
* Provide an interface which will check text and return all matching SPDX listed license ID's<br />
* Provide an interface which takes 2 license texts as input and returns a boolean indicating if the 2 licenses match per the license matching guidelines<br />
* When there is not a match, provide a return value making it possible to describe where and why the license does not match<br />
<br />
====Background Information====<br />
* See the [https://spdx.org/spdx-license-list/matching-guidelines SPDX License Matching Guidelines] for a description of the guidelines<br />
* A technical description of the templates and license matching can be found in [https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe Appendix II] of the SPDX specification<br />
* A Java implementation can be found in Github [https://github.com/spdx/tools/blob/master/src/org/spdx/compare/LicenseCompareHelper.java SPDX Tools LicenseCompareHelper.java]<br />
* It's harder than you may think - the template language is a challenge to implement. Performance can be a challenge when matching a single text against hundreds of potential licenses. Reporting back where the missmatch occurs can also be a challenge.<br />
<br />
====Skills Needed==== <br />
* Development skills in the Python<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]</div>Goneallhttps://wiki.spdx.org/view/CommunityBridge/CommunityBridge_ProjectIdeasCommunityBridge/CommunityBridge ProjectIdeas2020-06-04T17:05:24Z<p>Goneall: </p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2020 SPDX Community Bridge Project Ideas Page'''</span><br />
<br />
Proposals can use the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] as a guide for community bridge projects.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2020 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
==SPDX Workgroup Tooling Projects== <br />
<br />
=== Replace Java Functions in the SPDX Online Tools with Python Library Functions ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
=== Improve the Python Libraries ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
=== Improve the Deployment Infrastructure for the SPDX Online Tools ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
===Implement SPDX License Matching in Python===<br />
Implement as much of the SPDX License Matching Guidelines as practical in Python. This could replace the current Java implementation for the [http://13.57.134.254/app/check_license/ Check License] SPDX Online license checking tool.<br />
<br />
Following is a list of suggested features:<br />
* Provide an interface which will check text against a license template using the license matching guidelines<br />
* Provide an interface which will check text and return all matching SPDX listed license ID's<br />
* Provide an interface which takes 2 license texts as input and returns a boolean indicating if the 2 licenses match per the license matching guidelines<br />
* When there is not a match, provide a return value making it possible to describe where and why the license does not match<br />
<br />
====Background Information====<br />
* See the [https://spdx.org/spdx-license-list/matching-guidelines SPDX License Matching Guidelines] for a description of the guidelines<br />
* A technical description of the templates and license matching can be found in [https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe Appendix II] of the SPDX specification<br />
* A Java implementation can be found in Github [https://github.com/spdx/tools/blob/master/src/org/spdx/compare/LicenseCompareHelper.java SPDX Tools LicenseCompareHelper.java]<br />
* It's harder than you may think - the template language is a challenge to implement. Performance can be a challenge when matching a single text against hundreds of potential licenses. Reporting back where the missmatch occurs can also be a challenge.<br />
<br />
====Skills Needed==== <br />
* Development skills in the Python<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]</div>Goneallhttps://wiki.spdx.org/view/CommunityBridge/CommunityBridge_ProjectIdeasCommunityBridge/CommunityBridge ProjectIdeas2020-06-04T17:04:19Z<p>Goneall: </p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2020 SPDX Community Bridge Project Ideas Page'''</span><br />
<br />
Proposals can use the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] as a guide for community bridge projects.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2020 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
==SPDX Workgroup Tooling Projects== <br />
<br />
=== Replace Java Functions in the SPDX Online Tools with Python Library Functions ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
=== Improve the Python Libraries ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
=== Improve the Deployment Infrastructure for the SPDX Online Tools ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
===Implement SPDX License Matching in Python===<br />
Implement as much of the SPDX License Matching Guidelines as practical in Python. This could replace the current Java implementation for the [http://13.57.134.254/app/check_license/ Check License] SPDX Online license checking tool.<br />
<br />
Following is a list of suggested features:<br />
* Provide an interface which will check text against a license template using the license matching guidelines<br />
* Provide an interface which will check text and return all matching SPDX listed license ID's<br />
* Provide an interface which takes 2 license texts as input and returns a boolean indicating if the 2 licenses match per the license matching guidelines<br />
* When there is not a match, provide a return value making it possible to describe where and why the license does not match<br />
<br />
====Background Information====<br />
* See the [https://spdx.org/spdx-license-list/matching-guidelines SPDX License Matching Guidelines] for a description of the guidelines<br />
* A technical description of the templates and license matching can be found in [https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe Appendix II] of the SPDX specification<br />
* A Java implementation can be found in Github [https://github.com/spdx/tools/blob/master/src/org/spdx/compare/LicenseCompareHelper.java SPDX Tools LicenseCompareHelper.java]<br />
* It's harder than you may think - the template language is a challenge to implement. Performance can be a challenge when matching a single text against hundreds of potential licenses. Reporting back where the missmatch occurs can also be a challenge.<br />
<br />
====Skills Needed==== <br />
* Development skills in the Python<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]</div>Goneallhttps://wiki.spdx.org/view/CommunityBridge/CommunityBridge_ProjectIdeasCommunityBridge/CommunityBridge ProjectIdeas2020-06-04T16:58:30Z<p>Goneall: Created page with "<br /> <span style="font-size:150%">'''Welcome to the 2020 SPDX Google Summer of Code Project Page'''</span> See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposa..."</p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2020 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2020 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from last year can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
===Implement SPDX License Matching in Python===<br />
Implement as much of the SPDX License Matching Guidelines as practical in Python. This could replace the current Java implementation for the [http://13.57.134.254/app/check_license/ Check License] SPDX Online license checking tool.<br />
<br />
Following is a list of suggested features:<br />
* Provide an interface which will check text against a license template using the license matching guidelines<br />
* Provide an interface which will check text and return all matching SPDX listed license ID's<br />
* Provide an interface which takes 2 license texts as input and returns a boolean indicating if the 2 licenses match per the license matching guidelines<br />
* When there is not a match, provide a return value making it possible to describe where and why the license does not match<br />
<br />
====Background Information====<br />
* See the [https://spdx.org/spdx-license-list/matching-guidelines SPDX License Matching Guidelines] for a description of the guidelines<br />
* A technical description of the templates and license matching can be found in [https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe Appendix II] of the SPDX specification<br />
* A Java implementation can be found in Github [https://github.com/spdx/tools/blob/master/src/org/spdx/compare/LicenseCompareHelper.java SPDX Tools LicenseCompareHelper.java]<br />
* It's harder than you may think - the template language is a challenge to implement. Performance can be a challenge when matching a single text against hundreds of potential licenses. Reporting back where the missmatch occurs can also be a challenge.<br />
<br />
====Skills Needed==== <br />
* Development skills in the Python<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Generate Java SPDX Model Classes from XML XSD file ===<br />
In SPDX 3.0, we will be generating an XML XSD schema to define the model. This project idea is to use the XSD schema to generate a set of Java classes which represent the complete SPDX model. The generated classes would be used as part of a re-designed Java tool for SPDX. <br />
<br />
====Skills Needed====<br />
* Java programming skills<br />
* XML/XSD skills<br />
* Skills in code generation practices<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Background Information====<br />
* A proposed XSD for SPDX can be found on [https://github.com/mil-oss/spdx-xsd github]. Note: This is a very early proposal and would likely change significantly.<br />
* Current Java tools can be found on [https://github.com/spdx/tools SPDX Tools github page]<br />
* A rewrite of the Java tools is in progress. The in progress work can be found at the [https://github.com/goneall/Spdx-Java-Library Spdx-Java-Library] github page.<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Validate License Cross-References ===<br />
Enhance the SPDX LicenseListPublisher to validate the cross reference / seeAlso URL's for the license. One check would be to validate the link is still valid. This would need to be done in a way that has reasonably good performance (e.g. a long timeout would not work). Another check would be to identify the license text in the linked URL and compare it to the license text for the license itself to make sure they match. If either of these tests fail, a validity attribute should be added to the license output files (e.g. the license JSON files).<br />
<br />
====Skills Needed====<br />
* Java programming skills<br />
* XML/XSD skills<br />
* HTML parsing skills<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Background Information====<br />
The [https://spdx.org/licenses/ SPDX license list] is generated from a [https://github.com/spdx/license-list-XML git repository of XML files]. One of the fields maintained in the XML is the crossRef which is a URL cross reference for the license which may be valid or it may also be a "dead link". The [https://github.com/spdx/LicenseListPublisher LicenseListPublisher] is the tool that generates the web pages and the output formats. The output formats can be found in the [https://github.com/spdx/license-list-data SPDX license list data] git repository. [https://github.com/spdx/LicenseListPublisher/issues/60#issuecomment-570511697 Issue #60] for the LicenseListPublisher describes a request to include validity attribute.<br />
<br />
Over the summer, we may be adding the XML format to the supported output data formats in the license list data repo.<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== Improve SPDX Golang tooling ===<br />
The goal of this GSoC project would be to add support in the [https://github.com/spdx/tools-golang SPDX Golang tools] for SPDX documents in versions of the SPDX spec other than 2.1, including the upcoming 2.2 spec release which will add JSON, YAML and XML to the supported formats. Other work may include improving the validation and data model used by the Golang tools.<br />
<br />
====Skills Needed====<br />
* Go programming skills<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
The [https://github.com/spdx/tools-golang SPDX Golang tools] were initially designed to work with SPDX documents in tag-value format, for version 2.1 of [https://spdx.org/specifications the SPDX specification]. Currently it does not support earlier versions of the SPDX specification. Also, [https://github.com/spdx/spdx-spec/milestone/2 the upcoming 2.2 spec release], in addition to new data fields, will also add support for SPDX documents in JSON, YAML and XML formats. The Golang tools should (at a minimum) be updated to enable reading and writing in JSON and YAML.<br />
<br />
The SPDX Golang tools currently do some validation when reading and parsing SPDX documents, but they do not currently do much validation of the content itself. For example, license fields are represented as strings, but the tools do not currently check to confirm that e.g. the license identifiers are valid SPDX license expressions. Additional validation support to improve this would be beneficial.<br />
<br />
Additionally, the [https://github.com/spdx/tools-golang/tree/master/spdx data model used internally by the SPDX tools] to represent SPDX content is different in some ways from the data model used by other tools (e.g. [https://github.com/spdx/tools/tree/master/src/org/spdx/rdfparser/model Java], [https://github.com/spdx/tools-python/tree/master/spdx Python]). One goal for this project might be to evaluate the choices made by those other tools, and consider whether the Golang tools' data model should change to align with those.<br />
<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== GoLang Parallel RDF Parser ===<br />
Implement a high performance RDF parser for GoLang to support the SPDX RDF/XML format parsing and production.<br />
<br />
====Skills Needed====<br />
* GoLang programming skills<br />
* Knowledge of RDF<br />
* Knowledge of parsing algorithms<br />
<br />
====Background Information====<br />
As of now, there are very few known libraries in GoLang which support RDF-Parsing and are Licensed to use with an open-source project. One of them is [https://godoc.org/github.com/knakk/rdf](knakk/rdf2go). This library uses the RDF serialization format. All the current projects claiming to parse RDF files have implemented it in a linear fashion(line by line parsing) making it a repetitive and time-consuming process. This project will aim to chunk the RDF files into appropriate blocks and parse them simultaneously to reduce the effective time required to parse the entire document. The parser must conform to the SPDX-2.x version standards and have proper tests for each procedure.<br />
<br />
This project could be included as part of a larger project which includes other fixes to the GoLang tools (see the Improve GoLang tooling project idea above).<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== SPDX Plugins for Package Managers ===<br />
Create a native plug-in or extension to a well-known package manager to generate valid SPDX documents based on the information provided in the build metadata files. Examples of package managers include Node Package Manager (NPM), Gradle, Rust Cargo, Ruby Gems, Python pip, and Cocoa Pods. A plugin for Maven has already been developed and can be used as an example.<br />
<br />
The plugin should generate a valid SPDX document with minimal configuration required by the user.<br />
====Skills Needed====<br />
* Programming languages skills will depend on the package manager (e.g. Ruby for Ruby Gems, JavaScript for NPM)<br />
* Knowledge of package managers and build processes<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
====Background Information====<br />
SPDX produces a standard Bill of Materials for software containing package and license information. Package managers collect and manage much of the data needed to produce an SPDX document. Automatically generating SPDX documents in package managers will greatly increase the efficiency and adoption of SPDX.<br />
<br />
The [Maven Plugin]( https://github.com/spdx/spdx-maven-plugin) is a prototype plugin developed for the Maven build system. It can be used as an example for creating plugins for other build environments.<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:kstewart@linuxfoundation.org Kate Stewart] <br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/CommunityBridgeCommunityBridge2020-06-04T16:57:53Z<p>Goneall: /* SPDX Mentoring Projects */</p>
<hr />
<div>= Community Bridge =<br />
<br />
These pages are dedicated to Community Bridge projects for SPDX.<br />
<br />
== SPDX Mentoring Projects ==<br />
<br />
The following are mentoring projects available on the Linux Foundation Community Bridge<br />
* [https://funding.communitybridge.org/projects/spdx-online-tools SPDX Online Tools]<br />
<br />
Project ideas can be found on the [[/CommunityBridge_ProjectIdeas | Community Bridge project ideas page]]</div>Goneallhttps://wiki.spdx.org/view/CommunityBridgeCommunityBridge2020-06-04T16:56:13Z<p>Goneall: Created page with "= Community Bridge = These pages are dedicated to Community Bridge projects for SPDX. == SPDX Mentoring Projects == The following are mentoring projects available on the Li..."</p>
<hr />
<div>= Community Bridge =<br />
<br />
These pages are dedicated to Community Bridge projects for SPDX.<br />
<br />
== SPDX Mentoring Projects ==<br />
<br />
The following are mentoring projects available on the Linux Foundation Community Bridge<br />
* [https://funding.communitybridge.org/projects/spdx-online-tools SPDX Online Tools]<br />
<br />
Project ideas can be found on the [[/CommunityBridge_ProjectIdeas Community Bridge project ideas page]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-06-02Technical Team/Minutes/2020-06-022020-06-02T18:03:13Z<p>Goneall: Created page with "June 2, 2020 == Attendees == * Jim Hutchison * Rex Jaeschke * Kate Stewart * William Bartholomew * Gary O’Neall * Nisha Kumar * Steve Winslow * John Mudge * Takashi Ninjouji..."</p>
<hr />
<div>June 2, 2020<br />
== Attendees ==<br />
* Jim Hutchison<br />
* Rex Jaeschke<br />
* Kate Stewart<br />
* William Bartholomew<br />
* Gary O’Neall<br />
* Nisha Kumar<br />
* Steve Winslow<br />
* John Mudge<br />
* Takashi Ninjouji<br />
* Peter Shin<br />
* Rose Judge<br />
* Thomas Steenbergen<br />
<br />
Topics:<br />
Rex/John update on 2.2.1<br />
GSoC<br />
SPDX Tools<br />
<br />
<br />
==SPDX 2.2.1==<br />
* Update from Rex<br />
** Help wanted on a few issues<br />
** Making progress<br />
** Would like to target next week<br />
<br />
==GSoC==<br />
* Met with all the students<br />
* coding has started<br />
<br />
==SPDX Tools in the Repo==<br />
* Java Classic<br />
* Java Tools<br />
* Python<br />
** Need an update from Philippe<br />
** Gary offered to help<br />
** Needs be brought up to 2.2<br />
** Tern could use the Python library for as a validator<br />
** Could use the community bridge mentoring program to help – Gary will follow-up on the mentoring call<br />
* GoLang<br />
** Currently 2.1<br />
** Next working on 2.2<br />
** Summer of code project to implement RDF format<br />
* JavaScript<br />
** Summer of Code project but needs some work<br />
** Could potentially use Kotlin as a substitute<br />
* Kotlin<br />
** ORT uses SPDX<br />
** Could separate out a separate library<br />
* License mapping<br />
** Left off on how to map the ID’s to the aliases<br />
** Each language can implement<br />
** Future topic<br />
<br />
==SPDX 3.0==<br />
* Steve provided an overview of meta-issues<br />
** Different projects use different terms – agreement to use Meta issue<br />
** Suggestion to use Github template for the meta issues<br />
*** Steve will create a template for META issues<br />
** We could use templates for the different profiles<br />
* Labels<br />
** suggest “profile licensing”<br />
** suggest “profile base”<br />
** suggest “profile security”<br />
** Kate will add some additional profile labels<br />
* No meta issue for security for now – will use labels<br />
<br />
==Next Week’s Agenda==<br />
* 2.2.1 update<br />
* GSoC<br />
* License profile – joint call with legal starting at 15 minutes after the hours<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-05-19Technical Team/Minutes/2020-05-192020-05-19T19:38:15Z<p>Goneall: Created page with "May 19, 2020 == Attendees == * Jim Hutchison * Rex Jaeschke * GogginsS * John Mudge * Nisha Kumar * Steve Winslow * Kate Stewart * William Bartholomew * Gary O’Neall * Rose..."</p>
<hr />
<div>May 19, 2020<br />
== Attendees ==<br />
* Jim Hutchison<br />
* Rex Jaeschke<br />
* GogginsS<br />
* John Mudge<br />
* Nisha Kumar<br />
* Steve Winslow<br />
* Kate Stewart<br />
* William Bartholomew<br />
* Gary O’Neall<br />
* Rose Judge<br />
* Takashi Ninjouji<br />
* Santiago Torres<br />
* Peter Shin<br />
* Vicky Brasseur<br />
* Thomas Steenbergen<br />
* Rishabh Bhatnagar<br />
<br />
==SPDX 2.2==<br />
* Question on how to submit new features beyond 2.2<br />
** Consensus to add issues in Github<br />
* SPDX 2.2 wrap up - status of .pdf generation, next steps <br />
** Kate & Gary - follow up, still some issues outstanding.<br />
==SPDX 2.2.1==<br />
* update from Rex<br />
** A new numbering scheme<br />
** An appendix will be added to translate from the old to new numbering<br />
** John gave an update on new format<br />
* Line breaks discussion<br />
** Thomas recommended line breaks be made post production rather than explicitly<br />
** Agreed to not add explicit line breaks<br />
* Discussion on changing Intent to Description<br />
** Agreed to change to Description<br />
* Possible issue with the word Example<br />
** May have to change to a different word such as sample<br />
** Thomas raised an issue with changing to sample<br />
* Embedded HTML in the examples may cause issues<br />
** Suggest removing the HTML except for anchors<br />
** May also be an issue with 3.0<br />
* Major issues have been resolved<br />
* Expect to have a list of remaining issues by the end of the week<br />
<br />
==GSoC==<br />
* Anisha, Rohit & Gary - had call, researching alternatives<br />
* Rishab, Steve & Gary - golang, discussion <br />
* Philip - Kate, Santiago & Philippe - pending<br />
* Tenjong - license cross ref, already engaging. <br />
* reasonable activitity on gitter. <br />
* Bringing back one of student proposals through community bridge, update June 1.<br />
<br />
==Automation for the Spec==<br />
* Level of Automation for 3.0<br />
** OWL document —> Schema’s work —> Sample code, etc. <br />
** Two sources of errors: tools doing translations, copy paste error<br />
** Can we look at automating the creation from everything from one source of record.<br />
** Having mark down be the source of record.<br />
* Automation Proposals:<br />
* Pick a source of record, everything else is automated from there.<br />
** Diagram - how can this work with markdown.<br />
** Possibly not include generated artifacts in repo.<br />
** Could be added into a github action to generate diagram. Not store in repo itself, since its generated.<br />
** Everytime PR, get new OWL document <br />
** William’s diagrams are already generated by plugin<br />
** Software generate example files, and then they are included in markdown.<br />
* Concern: How fragile are the tools? <br />
** Gary - will handcode in Java, specific to SPDX. Subsection & schemas. Tool dependency.<br />
** Thomas - Companies do this, but we need to make sure. <br />
* Sections will have to be very much tied to the formatting. <br />
* Breaking formatting may break build. PR requested via breaking build. More of burden for submitters.<br />
* Nisha, Kate, William, are a favor in trying this.<br />
* Gary looking for collaboration on the tools. Nisha & Rose willing to work with Python. <br />
** Gary ok to do it in Python, if Rose able to help out here. Separate Sync up in 2 or 3 weeks. <br />
** William ok mentor. Thomas ok to review.<br />
* Revisit in 3 weeks - status of tooling <br />
<br />
==SPDX 3.0==<br />
* How do we submit proposals for 3.0?<br />
** Use Github Issues<br />
** Proposal to add Github labels for the profiles<br />
** Add Tech Team review as a label to schedule a call<br />
* Annotations and/or Relationships have YAML samples for review<br />
** Kate will help with the examples<br />
* Suggest we start a mapping spreadsheet<br />
** Kate will start the sheet<br />
* Wait for 2.2.1 template completion from John<br />
** After template, William will create 3.0<br />
* Need a way to specify which profiles are in effect<br />
** Suggest adding a field to the base<br />
** Base is always listed, additional profiles are also listed<br />
** Defer versioning<br />
* Discussed if you can use fields from other profiles<br />
** OK to re-use fields from other profiles<br />
** Profiles define which fields are mandatory<br />
** To be further discussed<br />
<br />
==Next Week’s Agenda==<br />
* Thomas to lead discussion on Security profile<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-05-12Technical Team/Minutes/2020-05-122020-05-12T18:04:03Z<p>Goneall: Created page with "May 12, 2020 == Attendees == * Alexios Zavras * Nisha Kumar * Steve Winslow * Kate Stewart * William Bartholomew * Gary O’Neall * Rose Judge * Thomas Steenbergen * Takashi..."</p>
<hr />
<div>May 12, 2020<br />
== Attendees ==<br />
* Alexios Zavras <br />
* Nisha Kumar<br />
* Steve Winslow<br />
* Kate Stewart<br />
* William Bartholomew<br />
* Gary O’Neall<br />
* Rose Judge<br />
* Thomas Steenbergen<br />
* Takashi Ninjouji<br />
* Santiago Torres<br />
* Peter Shin<br />
<br />
==2.2 - Publishing Spec==<br />
* Jack provided an update<br />
* Issue with links within the document<br />
** Pandoc is interpreting the links between docs as URL<br />
** It appears that there is an incompatibility between Pandocs and the web page generation<br />
** Thomas knows of a redirect plugin – will attempt to find this to resolve the issue<br />
<br />
==SPDX 2.2.1==<br />
* Some issues with cross-references, similar to the 2.2 publishing spec<br />
* Horizontal scrollbars for the XML examples don’t render well in .docx format<br />
** Rex will put in breaks<br />
* Inconsistency in Annex sub-clause numbering<br />
** Rex suggested numbering in a consistent formatting as chapters<br />
** Rex and Kate will follow-up<br />
* Marking annexes as normative or informative (issue 256)<br />
** Steve will take this one<br />
* Need help with Conformance Clause<br />
* Need help with Composition of an SPDX document (issue 330)<br />
** Rose volunteered to take a look<br />
* Overall, good progress on implementation<br />
* Kate has a backlog of PR’s to review and merge<br />
<br />
==GSoC==<br />
* Gary welcomed all the students<br />
* Mentors should be reaching out to students and setup meetings<br />
<br />
==New Website==<br />
* New URL for the main website spdx.dev<br />
** spdx.org/rdf and spdx.org/licenses will remain the same<br />
* 1 to 2 weeks we should be “throwing the switch”<br />
* Content for the website should be updated<br />
* Moving the SPDX wiki over to github<br />
** Proposal to create a new Github wiki “Governance”<br />
** One repo for all SPDX with folders for each team<br />
** Attempt to copy all Wiki content over<br />
** Thomas suggested automating the conversion<br />
** No one objected to move over<br />
<br />
==SPDX 3.0==<br />
* Merging changes from 2.2 and 2.2.1 into 3.0<br />
** Proposal to reset the 3.0 branch<br />
** Take a snapshot of the current 3.0<br />
** Re-branch from 2.2 into 3.0 and re-update<br />
* Over the next week, update the YAML and JSON examples into 2.X<br />
* 2.2.1 to become more stable<br />
* Then reset the branch<br />
* Discussion on automating creating of markdown or OWL schema<br />
** Will discuss in more detail on next week’s call<br />
** General consensus to have the markdown as the source since it is easier to edit<br />
* Santiago will share a doc with the linkage profile ideas<br />
* Should we have a separate mailing list?<br />
** Security may not want to be on the same general mailing list<br />
** If any of the profile leads would like to have a separate mail list, contact Kate<br />
* Peter is pulling together a use case document for 3.0<br />
** Currently includes Nisha’s use cases<br />
** Will be a Google Doc for now<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-05-05Technical Team/Minutes/2020-05-052020-05-06T04:31:00Z<p>Goneall: Created page with "May 5, 2020 == Attendees == * Alexios Zavras * Nisha Kumar * Steve Winslow * Kate Stewart * William Bartholomew * Gary O’Neall * Sean Goggins * Jim Hutchison * Karsten Klei..."</p>
<hr />
<div>May 5, 2020<br />
== Attendees ==<br />
* Alexios Zavras <br />
* Nisha Kumar<br />
* Steve Winslow<br />
* Kate Stewart<br />
* William Bartholomew<br />
* Gary O’Neall<br />
* Sean Goggins<br />
* Jim Hutchison<br />
* Karsten Klein<br />
* Vicky Brasseur<br />
* Rose Judge<br />
* Thomas Steenbergen<br />
* Takashi Ninjouji<br />
* Santiago Torres<br />
<br />
==GSoC==<br />
* 4 projects selected<br />
* Looking for mentoring possibility for one of the students who should have been selected but wasn’t<br />
* Currently in community bonding<br />
* Active coding about a month away, will start having the students join the call at that time<br />
* Discussion on the approach for repos:<br />
** Up to student and mentor – Gary can create a repo in SPDX, can use a branch in an existing SPDX repo, or can use the student’s repo and transfer to SPDX at the end of the project<br />
* Question on Gitter<br />
** We’ll use the public SPDX channel for most communications<br />
<br />
==SPDX 2.2==<br />
* Release done over the weekend<br />
* development/v2.2.1 branch created and made the default branch<br />
* Thanks to the many contributors and reviewers – especially Alexios, Steve, Thomas, William, Kate and Gary<br />
* Rendering for the v2 draft has some problems – William is looking into<br />
<br />
==SPDX 2.2.1==<br />
* Focused on the ISO standard<br />
* Conversion to the standard as first phase and move to word for submission as a second phase<br />
<br />
==Containers==<br />
* See slides for the overview presented by Nisha<br />
* Issue with download URL not being a URL<br />
* Issue with the size – 7MB for the example shown<br />
* Issue with difference in representation in the layer descriptions and in the flattened image<br />
** Name are based on the SHA checksum, not a natural filename<br />
* Is it possible to define an SPDX document for each layer<br />
** Yes – external document refs can be used<br />
** Discussion on tooling support<br />
* Discussion on different relationship types for the manifest.json and config.json<br />
* How do we account for content addressable “Packages”?<br />
* What does an external reference look like for deployments?<br />
* Can we compose/decompose SPDX documents?<br />
* Can we provide pipeline context?<br />
* General agreement that the relationships between docs and pipeline is related to the linking proposal Santiago is working on<br />
<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-04-28Technical Team/Minutes/2020-04-282020-04-29T02:20:01Z<p>Goneall: Created page with "April 28, 2020 == Attendees == * Alexios Zavras * Nisha Kumar * Steve Winslow * Kate Stewart * William Bartholomew * Gary O’Neall * Rose Judge * Thomas Steenbergen * Takash..."</p>
<hr />
<div>April 28, 2020<br />
== Attendees ==<br />
* Alexios Zavras <br />
* Nisha Kumar<br />
* Steve Winslow<br />
* Kate Stewart<br />
* William Bartholomew<br />
* Gary O’Neall<br />
* Rose Judge<br />
* Thomas Steenbergen<br />
* Takashi Ninjouji<br />
* Santiago Torres<br />
* Matt Germonprez<br />
* Rohit Lodha<br />
* Sean Goggins<br />
<br />
==SPDX 2.2==<br />
* Review of pull requests<br />
* Reviewed issues<br />
* Went through checklist<br />
** Kate will work on a blog post<br />
** Meeting this Friday to review final checklist – Kate is organizing. William, Thomas, Gary, and <br />
<br />
==3.0 Attesting==<br />
* Issue on over-using relationships<br />
** For a reader of a document, important information is not present since it is referred to in a relationship<br />
** Potential issue of cycles in the graph<br />
** Suggestion that tooling can flatten out and verify the graph into something readable and/or greppable<br />
* Should we have separate relationship types – each with their own relationship types<br />
** Between artifacts<br />
** Between artifacts and identities<br />
** Between identities <br />
* Should it be part of the base profiles?<br />
** William proposed it would be and no one disagreed<br />
* Discussion on “integration use cases”<br />
* Question on relationship between links and relationship<br />
** Many to many? 1:1? 1:*, *:1?<br />
* Santiago will progress the discussion forward and propose some naming alternatives to “linking”<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-04-21Technical Team/Minutes/2020-04-212020-04-21T21:51:27Z<p>Goneall: Created page with "April 21, 2020 == Attendees == * David Kemp * Alexios Zavras * Nisha Kumar * Steve Winslow * Kate Stewart * Rex Jaeschke * Jack Manbeck * William Bartholomew * Gary O’Neall..."</p>
<hr />
<div>April 21, 2020<br />
== Attendees ==<br />
* David Kemp<br />
* Alexios Zavras <br />
* Nisha Kumar<br />
* Steve Winslow<br />
* Kate Stewart<br />
* Rex Jaeschke<br />
* Jack Manbeck<br />
* William Bartholomew<br />
* Gary O’Neall<br />
* Rose Judge<br />
* Thomas Steenbergen<br />
* Takashi Ninjouji<br />
<br />
==Container SPDX==<br />
* Nisha requested a discussion on some of the issues when generating SPDX documents for containers<br />
* Discussion schedule for the 6 May tech call<br />
<br />
==SPDX 2.2==<br />
* Issues reviewed and updated<br />
<br />
==SPDX 2.2.1==<br />
* Rex discussed restructuring the document for ISO conformance<br />
* Issue with numbering – will need to be renumbered to conform to ISO Standards<br />
** Converting to word would automatically renumber<br />
** Proposal to keep a permanent number in parallel with the section numbers<br />
** Non-English documentation refers to numbers<br />
** Other documentation refers to number (including code comments)<br />
** Can create an informative annex mapping old section numbers to the new<br />
* Issue with hanging paragraphs at the beginning of the sections – not allowed, will need to move to one of<br />
** Conformance section – things such as cardinality<br />
** Introductory section at the beginning of the document<br />
** General or introductory subsection<br />
<br />
==3.0 Security Section==<br />
* Thomas provided an overview presentation at https://docs.google.com/document/d/1GyUMEcv4G8ZUGbXB8T_-pkDFxYUAbP0W0Tuts2cpZiw/edit?ts=5e9de64a<br />
* Combination of several standards including CycloneDX, IonChannel, NVD, CVE, etc.<br />
* Nisha will ask for a review from some of the security specialists she works with<br />
* Future, we’ll bring in others for review – Thomas will guide the timing as the document matures<br />
* Moving the document from Google Docs to MD<br />
<br />
[[Category:Technical|Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-03-31Technical Team/Minutes/2020-03-312020-04-20T18:34:31Z<p>Goneall: Created page with "March 31, 2020 == Attendees == * Santiago Torres Arias * Gary O’Neall * Jack Manbeck * Jim Hutchinson * Peter Shin * Alexios Zavras * Andrea Denisse Gomez (new) * Nisha Kuma..."</p>
<hr />
<div>March 31, 2020<br />
== Attendees ==<br />
* Santiago Torres Arias<br />
* Gary O’Neall<br />
* Jack Manbeck<br />
* Jim Hutchinson<br />
* Peter Shin<br />
* Alexios Zavras<br />
* Andrea Denisse Gomez (new)<br />
* Nisha Kumar<br />
* Steve Winsolw<br />
* William Bartholmew<br />
* Kate Stewart<br />
* Vicfred Petrelli<br />
* Jiyun Kang<br />
<br />
==3.0==<br />
* Santiago provide overview of linking profile being proposed for 3.0<br />
Recording of the presentation can be found at https://zoom.us/rec/share/-90lL_Lo03hOfLPv2QbZAa8kH5j4X6a8hihKqaBczEpJTJHaMzbGpfUcPBpgfz7y<br />
* 8 locations in abstract supply chain can be compromised<br />
* Looking for people to participate in work group on this.<br />
* Nisha: what's the difference between relationships vs. links? <br />
** Looking for these artifacts come from build stage.<br />
* Alexios: Multiple inputs/outputs - love this idea of documenting what is happening, very much in favor of having this information. Only objection with name "linking profile" - points to something else. <br />
** Santiago receptive for changing the name if we can find a better idea. <br />
* Gary: The way I'm thinking about it is relationships are static - the state how the artifacts are related at the time the SPDX document is created. Links are more dynamic, they describe an action taken which probably creates a relationship - including the who and how in addition to the "what" of the relationship.<br />
* Nisha Kumar: Post build state vs build time state?<br />
* Steve Winslow: <br />
* I think that's right, Gary. A relationship just describes "this thing is this way", e.g. "Package A depends on Package B". A Link goes further to assert who does what, e.g. "I added Package B as a dependency for Package A, I got B's source code and built it"<br />
* Peter Shin: Which words do you use to describe "link" in the in-toto process? Do you use the word, "link" or multiple words?<br />
* Gary - very interested in participating in these discussions, and interested to do some object modeling here. Linking relating to relationships. <br />
* - Santiago interested in making this an SPDX native concept. Possibly extend relationships.<br />
* Explicit Interest in making this a focus of 3.0 from: Santiago, WIlliam, Gary, Rose, Nitsha, Alexios, Kate, Steve <br />
** Decision to work on spdx-tech mail list. Then possibly dedicate some weekly call. <br />
<br />
==2.2 issues==<br />
* https://github.com/spdx/spdx-spec/issues/97<br />
* Other issues recorded in Github<br />
<br />
<br />
[[Category:Technical|Minutes]]<br />
[[Category:Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-04-14Technical Team/Minutes/2020-04-142020-04-14T18:07:04Z<p>Goneall: Created page with "April 14, 2020 == Attendees == * Alexios Zavras * Nisha Kumar * Steve Winslow * Kate Stewart * Santiago * William Bartholomew * Gary O’Neall * Peter Shin * Thomas Steenberg..."</p>
<hr />
<div>April 14, 2020<br />
== Attendees ==<br />
* Alexios Zavras <br />
* Nisha Kumar<br />
* Steve Winslow<br />
* Kate Stewart<br />
* Santiago<br />
* William Bartholomew<br />
* Gary O’Neall<br />
* Peter Shin<br />
* Thomas Steenbergen<br />
<br />
==SPDX 2.2==<br />
* Broken diagrams<br />
** Kate is fixing the first the first one<br />
** Gary will update the model next week, we can go ahead and send out before the update if needed<br />
* ISO write onboard<br />
** Will do formatting<br />
** Need to add examples<br />
** Will invite the text writer into next call<br />
<br />
==Profiles==<br />
* Add an array at the document level with profiles; don’t need base since it is implied<br />
* Enum would require update spec, having a String would be more flexible<br />
* Another possibility is to assume a profile based on the “namespace” or what items<br />
* Consensus Profiles “set” with enumeration<br />
* Versioning of profiles<br />
** Should each profile have a version – similar to the license list?<br />
** Would we release different profiles at different times?<br />
** Thomas expressed interest in keeping it simple, only use SPDX versions – keep profile versions synchronized with SPDX version<br />
** Nisha raised the possibility of keeping a document manifest<br />
** We could support manifests using external document references<br />
* Discussion on simplicity<br />
** All agree this should be a guiding principle – we would want 3.0 to be less complex than 2.2<br />
** Discussion on how important human writable/readable<br />
** Are there requirements to make sure we don’t make it “too simple”?<br />
*** We can use the use cases to confirm?<br />
*** Peter will create a document<br />
<br />
==Linking and relationships==<br />
* Links will be part of the base profile<br />
* Provenance elements part of the relationship<br />
* Consider having provenance information as properties of the relationships<br />
* Profiles could still describe the relationship required properties<br />
* Concept of strong and weak relationships<br />
** Strong relationship would include the provenance information<br />
* Inheritance vs containing<br />
** Inheritance would be less disruptive<br />
** Signing could be impacted<br />
** Should we pull in Grafeas to verify use cases and deployability<br />
** Schedule 2 Tuesday’s from now<br />
<br />
==Software lifecycle proposal==<br />
* Proposal for a format for SCM proposal <br />
* Similar to software product lifecycle<br />
* Very similar to work being done by Santiago<br />
* Scope is not just license compatibility, but also contractual compatibility<br />
* Would be a profile<br />
* Design principle – prefer SPDX stick to facts<br />
<br />
[[Category:Technical|Minutes]]<br />
[[Category:Minutes]]</div>Goneallhttps://wiki.spdx.org/view/Technical_Team/Minutes/2020-04-07Technical Team/Minutes/2020-04-072020-04-07T19:43:28Z<p>Goneall: Created page with "April 7, 2020 == Attendees == * William Bartholomew * Kate Stewart * Steve Winslow * Alexios Zavras * Gary O’Neall * Peter Shin * Rose Judge * Santiago * Thomas Steenbergen..."</p>
<hr />
<div>April 7, 2020<br />
== Attendees ==<br />
* William Bartholomew<br />
* Kate Stewart<br />
* Steve Winslow<br />
* Alexios Zavras<br />
* Gary O’Neall<br />
* Peter Shin<br />
* Rose Judge<br />
* Santiago<br />
* Thomas Steenbergen<br />
<br />
==GSoC==<br />
* Santiago interested<br />
* Alexios interested in the Python<br />
* 8 total mentors – we can probably do 5 projects<br />
* Gary to schedule a meeting before the 21st to choose the number of slots<br />
<br />
==2.2 issues==<br />
* Resolved all open issues and pull requests<br />
<br />
[[Category:Technical|Minutes]]<br />
[[Category:Minutes]]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2020-03-24T23:08:17Z<p>Goneall: /* Available Mentors */</p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2020 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2020 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from last year can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
===Implement SPDX License Matching in Python===<br />
Implement as much of the SPDX License Matching Guidelines as practical in Python. This could replace the current Java implementation for the [http://13.57.134.254/app/check_license/ Check License] SPDX Online license checking tool.<br />
<br />
Following is a list of suggested features:<br />
* Provide an interface which will check text against a license template using the license matching guidelines<br />
* Provide an interface which will check text and return all matching SPDX listed license ID's<br />
* Provide an interface which takes 2 license texts as input and returns a boolean indicating if the 2 licenses match per the license matching guidelines<br />
* When there is not a match, provide a return value making it possible to describe where and why the license does not match<br />
<br />
====Background Information====<br />
* See the [https://spdx.org/spdx-license-list/matching-guidelines SPDX License Matching Guidelines] for a description of the guidelines<br />
* A technical description of the templates and license matching can be found in [https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe Appendix II] of the SPDX specification<br />
* A Java implementation can be found in Github [https://github.com/spdx/tools/blob/master/src/org/spdx/compare/LicenseCompareHelper.java SPDX Tools LicenseCompareHelper.java]<br />
* It's harder than you may think - the template language is a challenge to implement. Performance can be a challenge when matching a single text against hundreds of potential licenses. Reporting back where the missmatch occurs can also be a challenge.<br />
<br />
====Skills Needed==== <br />
* Development skills in the Python<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Generate Java SPDX Model Classes from XML XSD file ===<br />
In SPDX 3.0, we will be generating an XML XSD schema to define the model. This project idea is to use the XSD schema to generate a set of Java classes which represent the complete SPDX model. The generated classes would be used as part of a re-designed Java tool for SPDX. <br />
<br />
====Skills Needed====<br />
* Java programming skills<br />
* XML/XSD skills<br />
* Skills in code generation practices<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Background Information====<br />
* A proposed XSD for SPDX can be found on [https://github.com/mil-oss/spdx-xsd github]. Note: This is a very early proposal and would likely change significantly.<br />
* Current Java tools can be found on [https://github.com/spdx/tools SPDX Tools github page]<br />
* A rewrite of the Java tools is in progress. The in progress work can be found at the [https://github.com/goneall/Spdx-Java-Library Spdx-Java-Library] github page.<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Validate License Cross-References ===<br />
Enhance the SPDX LicenseListPublisher to validate the cross reference / seeAlso URL's for the license. One check would be to validate the link is still valid. This would need to be done in a way that has reasonably good performance (e.g. a long timeout would not work). Another check would be to identify the license text in the linked URL and compare it to the license text for the license itself to make sure they match. If either of these tests fail, a validity attribute should be added to the license output files (e.g. the license JSON files).<br />
<br />
====Skills Needed====<br />
* Java programming skills<br />
* XML/XSD skills<br />
* HTML parsing skills<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Background Information====<br />
The [https://spdx.org/licenses/ SPDX license list] is generated from a [https://github.com/spdx/license-list-XML git repository of XML files]. One of the fields maintained in the XML is the crossRef which is a URL cross reference for the license which may be valid or it may also be a "dead link". The [https://github.com/spdx/LicenseListPublisher LicenseListPublisher] is the tool that generates the web pages and the output formats. The output formats can be found in the [https://github.com/spdx/license-list-data SPDX license list data] git repository. [https://github.com/spdx/LicenseListPublisher/issues/60#issuecomment-570511697 Issue #60] for the LicenseListPublisher describes a request to include validity attribute.<br />
<br />
Over the summer, we may be adding the XML format to the supported output data formats in the license list data repo.<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== Improve SPDX Golang tooling ===<br />
The goal of this GSoC project would be to add support in the [https://github.com/spdx/tools-golang SPDX Golang tools] for SPDX documents in versions of the SPDX spec other than 2.1, including the upcoming 2.2 spec release which will add JSON, YAML and XML to the supported formats. Other work may include improving the validation and data model used by the Golang tools.<br />
<br />
====Skills Needed====<br />
* Go programming skills<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
The [https://github.com/spdx/tools-golang SPDX Golang tools] were initially designed to work with SPDX documents in tag-value format, for version 2.1 of [https://spdx.org/specifications the SPDX specification]. Currently it does not support earlier versions of the SPDX specification. Also, [https://github.com/spdx/spdx-spec/milestone/2 the upcoming 2.2 spec release], in addition to new data fields, will also add support for SPDX documents in JSON, YAML and XML formats. The Golang tools should (at a minimum) be updated to enable reading and writing in JSON and YAML.<br />
<br />
The SPDX Golang tools currently do some validation when reading and parsing SPDX documents, but they do not currently do much validation of the content itself. For example, license fields are represented as strings, but the tools do not currently check to confirm that e.g. the license identifiers are valid SPDX license expressions. Additional validation support to improve this would be beneficial.<br />
<br />
Additionally, the [https://github.com/spdx/tools-golang/tree/master/spdx data model used internally by the SPDX tools] to represent SPDX content is different in some ways from the data model used by other tools (e.g. [https://github.com/spdx/tools/tree/master/src/org/spdx/rdfparser/model Java], [https://github.com/spdx/tools-python/tree/master/spdx Python]). One goal for this project might be to evaluate the choices made by those other tools, and consider whether the Golang tools' data model should change to align with those.<br />
<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== GoLang Parallel RDF Parser ===<br />
Implement a high performance RDF parser for GoLang to support the SPDX RDF/XML format parsing and production.<br />
<br />
====Skills Needed====<br />
* GoLang programming skills<br />
* Knowledge of RDF<br />
* Knowledge of parsing algorithms<br />
<br />
====Background Information====<br />
As of now, there are very few known libraries in GoLang which support RDF-Parsing and are Licensed to use with an open-source project. One of them is [https://godoc.org/github.com/knakk/rdf](knakk/rdf2go). This library uses the RDF serialization format. All the current projects claiming to parse RDF files have implemented it in a linear fashion(line by line parsing) making it a repetitive and time-consuming process. This project will aim to chunk the RDF files into appropriate blocks and parse them simultaneously to reduce the effective time required to parse the entire document. The parser must conform to the SPDX-2.x version standards and have proper tests for each procedure.<br />
<br />
This project could be included as part of a larger project which includes other fixes to the GoLang tools (see the Improve GoLang tooling project idea above).<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== SPDX Plugins for Package Managers ===<br />
Create a native plug-in or extension to a well-known package manager to generate valid SPDX documents based on the information provided in the build metadata files. Examples of package managers include Node Package Manager (NPM), Gradle, Rust Cargo, Ruby Gems, Python pip, and Cocoa Pods. A plugin for Maven has already been developed and can be used as an example.<br />
<br />
The plugin should generate a valid SPDX document with minimal configuration required by the user.<br />
====Skills Needed====<br />
* Programming languages skills will depend on the package manager (e.g. Ruby for Ruby Gems, JavaScript for NPM)<br />
* Knowledge of package managers and build processes<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
====Background Information====<br />
SPDX produces a standard Bill of Materials for software containing package and license information. Package managers collect and manage much of the data needed to produce an SPDX document. Automatically generating SPDX documents in package managers will greatly increase the efficiency and adoption of SPDX.<br />
<br />
The [Maven Plugin]( https://github.com/spdx/spdx-maven-plugin) is a prototype plugin developed for the Maven build system. It can be used as an example for creating plugins for other build environments.<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:kstewart@linuxfoundation.org Kate Stewart] <br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]<br />
<br />
=== ClearlyDefined exporting and importing SPDX documents ===<br />
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.<br />
<br />
====Skills Needed====<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
Export a ClearlyDefined workspace as a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* Add one or more components to the workspace through any of the existing means, <br />
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).<br />
which would result in an SPDX document is exported containing all of the components that were in the workspace.<br />
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.<br />
<br />
To populate a workspace from a SPDX document:<br />
* user to navigate to https://clearlydefined.io/workspace<br />
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.<br />
<br />
There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?<br />
<br />
====Available Mentors====<br />
[mailto:kstewart@linuxfoundation.org Kate Stewart]<br />
[mailto:IAMWILLBAR@github.com William Bartholomew]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2020-03-04T17:26:42Z<p>Goneall: </p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2020 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2020 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from last year can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
===Implement SPDX License Matching in Python===<br />
Implement as much of the SPDX License Matching Guidelines as practical in Python. This could replace the current Java implementation for the [http://13.57.134.254/app/check_license/ Check License] SPDX Online license checking tool.<br />
<br />
Following is a list of suggested features:<br />
* Provide an interface which will check text against a license template using the license matching guidelines<br />
* Provide an interface which will check text and return all matching SPDX listed license ID's<br />
* Provide an interface which takes 2 license texts as input and returns a boolean indicating if the 2 licenses match per the license matching guidelines<br />
* When there is not a match, provide a return value making it possible to describe where and why the license does not match<br />
<br />
====Background Information====<br />
* See the [https://spdx.org/spdx-license-list/matching-guidelines SPDX License Matching Guidelines] for a description of the guidelines<br />
* A technical description of the templates and license matching can be found in [https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe Appendix II] of the SPDX specification<br />
* A Java implementation can be found in Github [https://github.com/spdx/tools/blob/master/src/org/spdx/compare/LicenseCompareHelper.java SPDX Tools LicenseCompareHelper.java]<br />
* It's harder than you may think - the template language is a challenge to implement. Performance can be a challenge when matching a single text against hundreds of potential licenses. Reporting back where the missmatch occurs can also be a challenge.<br />
<br />
====Skills Needed==== <br />
* Development skills in the Python<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Generate Java SPDX Model Classes from XML XSD file ===<br />
In SPDX 3.0, we will be generating an XML XSD schema to define the model. This project idea is to use the XSD schema to generate a set of Java classes which represent the complete SPDX model. The generated classes would be used as part of a re-designed Java tool for SPDX. <br />
<br />
====Skills Needed====<br />
* Java programming skills<br />
* XML/XSD skills<br />
* Skills in code generation practices<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Background Information====<br />
* A proposed XSD for SPDX can be found on [https://github.com/mil-oss/spdx-xsd github]. Note: This is a very early proposal and would likely change significantly.<br />
* Current Java tools can be found on [https://github.com/spdx/tools SPDX Tools github page]<br />
* A rewrite of the Java tools is in progress. The in progress work can be found at the [https://github.com/goneall/Spdx-Java-Library Spdx-Java-Library] github page.<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Validate License Cross-References ===<br />
Enhance the SPDX LicenseListPublisher to validate the cross reference / seeAlso URL's for the license. One check would be to validate the link is still valid. This would need to be done in a way that has reasonably good performance (e.g. a long timeout would not work). Another check would be to identify the license text in the linked URL and compare it to the license text for the license itself to make sure they match. If either of these tests fail, a validity attribute should be added to the license output files (e.g. the license JSON files).<br />
<br />
====Skills Needed====<br />
* Java programming skills<br />
* XML/XSD skills<br />
* HTML parsing skills<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Background Information====<br />
The [https://spdx.org/licenses/ SPDX license list] is generated from a [https://github.com/spdx/license-list-XML git repository of XML files]. One of the fields maintained in the XML is the crossRef which is a URL cross reference for the license which may be valid or it may also be a "dead link". The [https://github.com/spdx/LicenseListPublisher LicenseListPublisher] is the tool that generates the web pages and the output formats. The output formats can be found in the [https://github.com/spdx/license-list-data SPDX license list data] git repository. [https://github.com/spdx/LicenseListPublisher/issues/60#issuecomment-570511697 Issue #60] for the LicenseListPublisher describes a request to include validity attribute.<br />
<br />
Over the summer, we may be adding the XML format to the supported output data formats in the license list data repo.<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] <br />
<br />
=== Improve SPDX Golang tooling ===<br />
The goal of this GSoC project would be to add support in the [https://github.com/spdx/tools-golang SPDX Golang tools] for SPDX documents in versions of the SPDX spec other than 2.1, including the upcoming 2.2 spec release which will add JSON, YAML and XML to the supported formats. Other work may include improving the validation and data model used by the Golang tools.<br />
<br />
====Skills Needed====<br />
* Go programming skills<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
The [https://github.com/spdx/tools-golang SPDX Golang tools] were initially designed to work with SPDX documents in tag-value format, for version 2.1 of [https://spdx.org/specifications the SPDX specification]. Currently it does not support earlier versions of the SPDX specification. Also, [https://github.com/spdx/spdx-spec/milestone/2 the upcoming 2.2 spec release], in addition to new data fields, will also add support for SPDX documents in JSON, YAML and XML formats. The Golang tools should (at a minimum) be updated to enable reading and writing in JSON and YAML.<br />
<br />
The SPDX Golang tools currently do some validation when reading and parsing SPDX documents, but they do not currently do much validation of the content itself. For example, license fields are represented as strings, but the tools do not currently check to confirm that e.g. the license identifiers are valid SPDX license expressions. Additional validation support to improve this would be beneficial.<br />
<br />
Additionally, the [https://github.com/spdx/tools-golang/tree/master/spdx data model used internally by the SPDX tools] to represent SPDX content is different in some ways from the data model used by other tools (e.g. [https://github.com/spdx/tools/tree/master/src/org/spdx/rdfparser/model Java], [https://github.com/spdx/tools-python/tree/master/spdx Python]). One goal for this project might be to evaluate the choices made by those other tools, and consider whether the Golang tools' data model should change to align with those.<br />
<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== GoLang Parallel RDF Parser ===<br />
Implement a high performance RDF parser for GoLang to support the SPDX RDF/XML format parsing and production.<br />
<br />
====Skills Needed====<br />
* GoLang programming skills<br />
* Knowledge of RDF<br />
* Knowledge of parsing algorithms<br />
<br />
====Background Information====<br />
As of now, there are very few known libraries in GoLang which support RDF-Parsing and are Licensed to use with an open-source project. One of them is [https://godoc.org/github.com/knakk/rdf](knakk/rdf2go). This library uses the RDF serialization format. All the current projects claiming to parse RDF files have implemented it in a linear fashion(line by line parsing) making it a repetitive and time-consuming process. This project will aim to chunk the RDF files into appropriate blocks and parse them simultaneously to reduce the effective time required to parse the entire document. The parser must conform to the SPDX-2.x version standards and have proper tests for each procedure.<br />
<br />
This project could be included as part of a larger project which includes other fixes to the GoLang tools (see the Improve GoLang tooling project idea above).<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== SPDX Plugins for Package Managers ===<br />
Create a native plug-in or extension to a well-known package manager to generate valid SPDX documents based on the information provided in the build metadata files. Examples of package managers include Node Package Manager (NPM), Gradle, Rust Cargo, Ruby Gems, Python pip, and Cocoa Pods. A plugin for Maven has already been developed and can be used as an example.<br />
<br />
The plugin should generate a valid SPDX document with minimal configuration required by the user.<br />
====Skills Needed====<br />
* Programming languages skills will depend on the package manager (e.g. Ruby for Ruby Gems, JavaScript for NPM)<br />
* Knowledge of package managers and build processes<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
====Background Information====<br />
SPDX produces a standard Bill of Materials for software containing package and license information. Package managers collect and manage much of the data needed to produce an SPDX document. Automatically generating SPDX documents in package managers will greatly increase the efficiency and adoption of SPDX.<br />
<br />
The [Maven Plugin]( https://github.com/spdx/spdx-maven-plugin) is a prototype plugin developed for the Maven build system. It can be used as an example for creating plugins for other build environments.<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:kstewart@linuxfoundation.org Kate Stewart] <br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]</div>Goneallhttps://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeasGSOC/GSOC ProjectIdeas2020-03-04T17:24:37Z<p>Goneall: </p>
<hr />
<div><br /><br />
<br />
<span style="font-size:150%">'''Welcome to the 2020 SPDX Google Summer of Code Project Page'''</span><br />
<br />
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.<br />
<br />
Should you have questions please do not hesitate to contact one of the mentors directly.<br />
<br />
<br /><br />
<br />
__TOC__<br />
<br />
<br /><br />
<br />
== What is SPDX ? ==<br />
<br />
First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.<br />
<br />
As part of this effort we have developed a set of collateral that can be used:<br />
<br />
* [https://spdx.org/using-spdx License List and Short Identifiers]<br />
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]<br />
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]<br />
* [https://spdx.org/using-spdx License Identifiers in source]<br />
<br />
== Why choose an SPDX Project? ==<br />
<br />
Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.<br />
<br />
<br/><br />
<br />
= Getting Involved =<br />
<br />
Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .<br />
<br />
== Resources ==<br />
<br />
* [http://spdx.org SPDX website]<br />
* [https://spdx.org/specifications SPDX Specification]<br />
* [https://spdx.org/tools SPDX Workgroup Tools webpage]<br />
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]<br />
<br />
=Proposed 2020 Projects=<br />
<br />
Mentors: please fill out the following template for any projects you wish to propose. <br />
<br />
=== Project Name ===<br />
add overview of project here<br />
====Skills Needed====<br />
what skills should the student have to do the coding exercises<br />
====Background Information====<br />
context for the project and references to be studied<br />
====Available Mentors====<br />
list individuals who are willing to mentor and provide information about the project proposal. <br />
<br />
(The projects from last year can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).<br />
<br />
==SPDX Workgroup Tooling Projects== <br />
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.<br />
<br />
===Implement SPDX License Matching in Python===<br />
Implement as much of the SPDX License Matching Guidelines as practical in Python. This could replace the current Java implementation for the [http://13.57.134.254/app/check_license/ Check License] SPDX Online license checking tool.<br />
<br />
Following is a list of suggested features:<br />
* Provide an interface which will check text against a license template using the license matching guidelines<br />
* Provide an interface which will check text and return all matching SPDX listed license ID's<br />
* Provide an interface which takes 2 license texts as input and returns a boolean indicating if the 2 licenses match per the license matching guidelines<br />
* When there is not a match, provide a return value making it possible to describe where and why the license does not match<br />
<br />
====Background Information====<br />
* See the [https://spdx.org/spdx-license-list/matching-guidelines SPDX License Matching Guidelines] for a description of the guidelines<br />
* A technical description of the templates and license matching can be found in [https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe Appendix II] of the SPDX specification<br />
* A Java implementation can be found in Github [https://github.com/spdx/tools/blob/master/src/org/spdx/compare/LicenseCompareHelper.java SPDX Tools LicenseCompareHelper.java]<br />
* It's harder than you may think - the template language is a challenge to implement. Performance can be a challenge when matching a single text against hundreds of potential licenses. Reporting back where the missmatch occurs can also be a challenge.<br />
<br />
====Skills Needed==== <br />
* Development skills in the Python<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Generate Java SPDX Model Classes from XML XSD file ===<br />
In SPDX 3.0, we will be generating an XML XSD schema to define the model. This project idea is to use the XSD schema to generate a set of Java classes which represent the complete SPDX model. The generated classes would be used as part of a re-designed Java tool for SPDX. <br />
<br />
====Skills Needed====<br />
* Java programming skills<br />
* XML/XSD skills<br />
* Skills in code generation practices<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Background Information====<br />
* A proposed XSD for SPDX can be found on [https://github.com/mil-oss/spdx-xsd github]. Note: This is a very early proposal and would likely change significantly.<br />
* Current Java tools can be found on [https://github.com/spdx/tools SPDX Tools github page]<br />
* A rewrite of the Java tools is in progress. The in progress work can be found at the [https://github.com/goneall/Spdx-Java-Library Spdx-Java-Library] github page.<br />
<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== Validate License Cross-References ===<br />
Enhance the SPDX LicenseListPublisher to validate the cross reference / seeAlso URL's for the license. One check would be to validate the link is still valid. This would need to be done in a way that has reasonably good performance (e.g. a long timeout would not work). Another check would be to identify the license text in the linked URL and compare it to the license text for the license itself to make sure they match. If either of these tests fail, a validity attribute should be added to the license output files (e.g. the license JSON files).<br />
<br />
====Skills Needed====<br />
* Java programming skills<br />
* XML/XSD skills<br />
* HTML parsing skills<br />
* Ability to work with the community in integrating results with other projects<br />
<br />
====Background Information====<br />
The [https://spdx.org/licenses/ SPDX license list] is generated from a [https://github.com/spdx/license-list-XML git repository of XML files]. One of the fields maintained in the XML is the crossRef which is a URL cross reference for the license which may be valid or it may also be a "dead link". The [https://github.com/spdx/LicenseListPublisher LicenseListPublisher] is the tool that generates the web pages and the output formats. The output formats can be found in the [https://github.com/spdx/license-list-data SPDX license list data] git repository. [https://github.com/spdx/LicenseListPublisher/issues/60#issuecomment-570511697 Issue #60] for the LicenseListPublisher describes a request to include validity attribute.<br />
<br />
Over the summer, we may be adding the XML format to the supported output data formats in the license list data repo.<br />
<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] <br />
<br />
=== Improve SPDX Golang tooling ===<br />
The goal of this GSoC project would be to add support in the [https://github.com/spdx/tools-golang SPDX Golang tools] for SPDX documents in versions of the SPDX spec other than 2.1, including the upcoming 2.2 spec release which will add JSON, YAML and XML to the supported formats. Other work may include improving the validation and data model used by the Golang tools.<br />
<br />
====Skills Needed====<br />
* Go programming skills<br />
* Experience with JSON and YAML (XML a plus)<br />
* Ability to interpret and implement the SPDX specification and related community documentation<br />
* Ability to work with the community in integrating results with other projects<br />
* Willingness to learn about open source licensing and related technical matters<br />
<br />
====Background Information====<br />
The [https://github.com/spdx/tools-golang SPDX Golang tools] were initially designed to work with SPDX documents in tag-value format, for version 2.1 of [https://spdx.org/specifications the SPDX specification]. Currently it does not support earlier versions of the SPDX specification. Also, [https://github.com/spdx/spdx-spec/milestone/2 the upcoming 2.2 spec release], in addition to new data fields, will also add support for SPDX documents in JSON, YAML and XML formats. The Golang tools should (at a minimum) be updated to enable reading and writing in JSON and YAML.<br />
<br />
The SPDX Golang tools currently do some validation when reading and parsing SPDX documents, but they do not currently do much validation of the content itself. For example, license fields are represented as strings, but the tools do not currently check to confirm that e.g. the license identifiers are valid SPDX license expressions. Additional validation support to improve this would be beneficial.<br />
<br />
Additionally, the [https://github.com/spdx/tools-golang/tree/master/spdx data model used internally by the SPDX tools] to represent SPDX content is different in some ways from the data model used by other tools (e.g. [https://github.com/spdx/tools/tree/master/src/org/spdx/rdfparser/model Java], [https://github.com/spdx/tools-python/tree/master/spdx Python]). One goal for this project might be to evaluate the choices made by those other tools, and consider whether the Golang tools' data model should change to align with those.<br />
<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
<br />
=== GoLang Parallel RDF Parser ===<br />
Implement a high performance RDF parser for GoLang to support the SPDX RDF/XML format parsing and production.<br />
<br />
====Skills Needed====<br />
* GoLang programming skills<br />
* Knowledge of RDF<br />
* Knowledge of parsing algorithms<br />
<br />
====Background Information====<br />
As of now, there are very few known libraries in GoLang which support RDF-Parsing and are Licensed to use with an open-source project. One of them is [https://godoc.org/github.com/knakk/rdf](knakk/rdf2go). This library uses the RDF serialization format. All the current projects claiming to parse RDF files have implemented it in a linear fashion(line by line parsing) making it a repetitive and time-consuming process. This project will aim to chunk the RDF files into appropriate blocks and parse them simultaneously to reduce the effective time required to parse the entire document. The parser must conform to the SPDX-2.x version standards and have proper tests for each procedure.<br />
<br />
This project could be included as part of a larger project which includes other fixes to the GoLang tools (see the Improve GoLang tooling project idea above).<br />
====Available Mentors====<br />
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]<br />
<br />
=== SPDX Plugins for Package Managers ===<br />
Create a native plug-in or extension to a well-known package manager to generate valid SPDX documents based on the information provided in the build metadata files. Examples of package managers include Node Package Manager (NPM), Gradle, Rust Cargo, Ruby Gems, Python pip, and Cocoa Pods. A plugin for Maven has already been developed and can be used as an example.<br />
<br />
The plugin should generate a valid SPDX document with minimal configuration required by the user.<br />
====Skills Needed====<br />
* Programming languages skills will depend on the package manager (e.g. Ruby for Ruby Gems, JavaScript for NPM)<br />
* Knowledge of package managers and build processes<br />
* Skills in parsing and pattern matching<br />
* Ability to work with the community in integrating results with other projects<br />
====Background Information====<br />
SPDX produces a standard Bill of Materials for software containing package and license information. Package managers collect and manage much of the data needed to produce an SPDX document. Automatically generating SPDX documents in package managers will greatly increase the efficiency and adoption of SPDX.<br />
<br />
The [Maven Plugin]( https://github.com/spdx/spdx-maven-plugin) is a prototype plugin developed for the Maven build system. It can be used as an example for creating plugins for other build environments.<br />
====Available Mentors====<br />
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:kstewart@linuxfoundation.org Kate Stewart] <br />
<br />
==SPDX Specification Projects==<br />
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.<br />
<br />
=== SPDX Specification Views for legal counsels and developers ===<br />
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.<br />
====Skills Needed====<br />
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX<br />
====Background Information====<br />
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:<br />
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.<br />
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions<br />
====Available Mentors====<br />
[mailto:swinslow@linuxfoundation.org Steve Winslow]<br />
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]</div>Goneall