SPDX Wiki - User contributions [en]

General Meeting/Minutes/2021-05-06

2021-05-07T18:15:50Z

K.stewart: /* Tech Team Report - Kate/Gary/Others */

* Attendance: 18
* Lead by Phil Odence
* Minutes of Apri meeting Approved

* Plan was to switch to Zoom
* Considering using Jitsu

== SPDX License Name Space at Amazon - Mark ==

* https://docs.google.com/presentation/d/1uCAJW79hzqLAPhXfAn4maCRk9TZUhLJDAPEOBlgUFTw/edit?usp=sharing

== Tech Team Report - Kate/Gary/Others ==

* Spec – Kate
** Specification conversations continuing to move forward
** Rough template for categories of topics (what were previously being called “profiles”)
** Core Model - William
*** No Update
** Licensing - Steve
*** filed PR with initial draft for discussion of template format, etc.; will update to newer template; previously discussed much of its substance last year
** Integrity – Kay
*** working with in-toto community, framework for end-to-end supply chain security; collaborating with them to see if the specs can be aligned
** Defects / Security – Thomas not here today
*** pushed first draft of fields for (1) vulnerabilities, and (2) defects => impact on packages, false positives, etc.
**** https://github.com/spdx/spdx-spec/pull/510
*** Meetings next week to look at other security specs, their use cases, whether they can / how they should be incorporated
** Linking – Nisha not here today
*** Kate discussing with Nisha / Rose
** Usage – Yoshiyuki Ito
*** No update
** Pedigree / Build / Creation – Kate
*** No Update
* GSoC- Alexios
** Got 5 slots; can run up to 5 projects
** Likely to accept 5 proposals:
*** 2 for improving Golang tooling libraries (one RDF writing, one JSON reading/writing)
*** 1 for transitioning / updating online SPDX tools
*** 1 for spec processing tools
*** 1 for improved license matcher, taking matching guidelines into account (unplanned submission)

== Legal Team Report - Jilayne/Paul/Steve ==

* Working for 3.13, planning to push out over the weekend
* Have been trying to clean up old issues
* Some updates on documentation in the repo
* New participants recently – some discussions on recent calls have included reviewing past history; may want to put together more historical documentation of past context, etc.
* Some interest from Debian – interest in getting a Debian-free tickbox into the license list
* License submissions – starting to take a harder line on participation from people submitting license requests without sticking with them. For this release, started asking people to create the PR’s themselves – a few of the submitters at least responded and indicated they would do so
* Still relying on the calls too much; having people commenting in issues out-of-band would be very helpful

== Outreach Team Report - Kate ==

* Continuing to see interest in SPDX across different communities
* Zephyr – auto-generation
* Possible interest in re-starting Outreach team meetings – Sebastian interest, Aveek also
* Kate will reach out to Jack and either ask him to restart or else Kate will restart

== Other Topics ==

* Sebastian – interest in Arch Linux in using SPDX
** Some work being done on the Arch packaging system, interest in using SPDX licenses
* Jitsi
** Jilayne - Jitsi – this has gone well, plan to update to this for future General calls
** Legal and Tech teams can update if/when they choose
** Europe, UK, etc. seems to be working
** Bob – recommend putting passwords on it
** Steve – discuss whether to put one on. Possible but appears to prevent dial-ins afterwards.
*** Steve will look into options

== Attendees ==

* Phil Odence, Black Duck/Synopsys
* Mark Atwood, Amazon
* Matthew Crawford, ARM
* Bob Martin, Mitre
* Philippe Emmanuel Douziech, CAST
* Jilayne Lovejoy, Red Hat
* Maximilian Huber, TNG
* Alexios Zavras, Intel
* Kay Williams, Microsoft
* David Edelsohn, IBM
* Thomas Steenbergen, HERE
* Jeff Schutt, Cisco
* Kate Stewart, Linux Foundation
* Michael Herzog- nexB
* Sebastian Crane
* Steve Winslow, LF
* Marc Etienne Vargenau, Nokia
* Jonas Smedegaard, self

[[Category:General|Minutes]]
[[Category:Minutes]]

Technical Team/Minutes/2020-09-15

2020-09-15T21:04:43Z

K.stewart:

September 15, 2020
== Attendees ==
* Kate Stewart
* Thomas Steenbergen
* Gary O’Neall
* David Kemp
* Jim Hutchison
* Peter Shin

Topics:
* Demo of new online tools
** namespace followup with Mark, Philippe and Fossology
* Document generation / XSD/ XML
* Discussion on the capturing of facts vs opinions
** relationship property
** annotation type

== Demo of new online tools ==
* A test version of the online tools is available at http://52.32.53.255/
* Walked through the functionality
* Discussion on the namespace features
** Organizations – can only be added by authorized users
*** We could use this to help maintain who has the ability to add which organizations to license namespace
** Request Mark Atwoord (Amazon), Philippe (NexB), and FOSSology to review the new namespace functionality

==Schema Generation==
* Overview of current process
** RDF OWL document is the base format used to generate all other documents
** OWL document is kept manually in sync with spec with the spec being the source of record
* Desire to change process in the future
** Automatically keep document and OWL documents in sync
** Have a different mechanism for describing the constraints that is more convenient than OWL
*** OMG is using OWL and SHACL
*** SHAX is another possibility
*** David is working on a graph language that may help – will keep us up to date

==Facts vs Opinions in SPDX Documents==
* Currently, principle stated that documents are focused on facts
* Some of the proposals for new profile introduce things that are not necessary facts
** Proposal to extend Relationship to include things that may not be facts
** Proposal to add Annotations to capture assertions about information in the document.
* Example – expiration information, but from the SPDX ASIA call, there is also product usage (ok for testing), as well as affiliation of components with specific products.

[[Category:Technical|Minutes]]

Technical Team/Minutes/2020-08-04

2020-08-05T17:27:18Z

K.stewart: /* SPDX Online Tools Web Application */

August 4, 2020
== Attendees ==
* Kate Stewart
* Thomas Steenbergen
* William Bartholomew
* Steve Winslow
* Gary O’Neall
* Rose Judge
* Peter Shin

Topics:
* SPDX 3.0 Document Structure
* GSoC Update
* SPDX Online Tools
* Security related – LF security

==GSoC Update==
* All students passed
* Some issues making good progress on the generating Java code from XSD – more complex than we originally thought
* Some issues with communications
** Rishabh has been keeping a log on Google Docs which is a good practice
** Kate will suggest on gitter that all students adopt this practice.

==SPDX Online Tools Web Application==
* Funding goal for the SPDX online tools was achieved through community bridge
** Enough funding for 14 months of hosting
** A big Thank you to all supporters! https://funding.communitybridge.org/projects/f0e320d6-9c86-4656-ad4d-97842f25b124/financial
* See meta issue for current status and progress https://github.com/spdx/spdx-online-tools/issues/199
* Request to add SPDX document – see issue https://github.com/spdx/spdx-online-tools/issues/209
* Thomas is also looking for funding through ACT for ORT
** Discussed possibility of sharing infrastructure
** Thomas suggested using Lightsail rather than RDS for the PostgreSQL database

==SPDX Document Structure==
* Update to model
** Added name to Artifact
* Document proposal to break down into clauses
** Constrained by ISO to not having sub-sections or clauses
* Structure on subclasses
** Suggested we having a naming standard for the clauses that indicate the subclasses
* Structure
* Moving external document references to the linking profile
** Concern about requiring all the requirements of linking profile
*** Possible 2 profiles, one for document linking and a stronger one for InToto
** Concern about having required information for being able to link to a document
*** General agreement
*** Would like to simplify the approach language
*** Several possible solutions including the PURL
** SPDX Lite – should it be part of licensing or separate profile?
** Suggestion to introduce pre-requisite profiles

==Next Week==
* Continue discussion on container SBOM relationships
* Aug 11 Legal profile

[[Category:Technical|Minutes]]

Technical Team/Minutes/2020-08-04

2020-08-05T17:25:28Z

K.stewart: /* GSoC Update */

August 4, 2020
== Attendees ==
* Kate Stewart
* Thomas Steenbergen
* William Bartholomew
* Steve Winslow
* Gary O’Neall
* Rose Judge
* Peter Shin

Topics:
* SPDX 3.0 Document Structure
* GSoC Update
* SPDX Online Tools
* Security related – LF security

==GSoC Update==
* All students passed
* Some issues making good progress on the generating Java code from XSD – more complex than we originally thought
* Some issues with communications
** Rishabh has been keeping a log on Google Docs which is a good practice
** Kate will suggest on gitter that all students adopt this practice.

==SPDX Online Tools Web Application==
* Funding goal for the SPDX online tools was achieved through community bridge
** Enough funding for 14 months of hosting
* See meta issue for current status and progress https://github.com/spdx/spdx-online-tools/issues/199
* Request to add SPDX document – see issue https://github.com/spdx/spdx-online-tools/issues/209
* Thomas is also looking for funding through ACT for ORT
** Discussed possibility of sharing infrastructure
** Thomas suggested using Lightsail rather than RDS for the PostgreSQL database

==SPDX Document Structure==
* Update to model
** Added name to Artifact
* Document proposal to break down into clauses
** Constrained by ISO to not having sub-sections or clauses
* Structure on subclasses
** Suggested we having a naming standard for the clauses that indicate the subclasses
* Structure
* Moving external document references to the linking profile
** Concern about requiring all the requirements of linking profile
*** Possible 2 profiles, one for document linking and a stronger one for InToto
** Concern about having required information for being able to link to a document
*** General agreement
*** Would like to simplify the approach language
*** Several possible solutions including the PURL
** SPDX Lite – should it be part of licensing or separate profile?
** Suggestion to introduce pre-requisite profiles

==Next Week==
* Continue discussion on container SBOM relationships
* Aug 11 Legal profile

[[Category:Technical|Minutes]]

Technical Team/Minutes/2020-06-09

2020-06-11T23:36:25Z

K.stewart: /* Attendees */

June 9, 2020
== Attendees ==
* Kate Stewart
* Jack Manbeck
* John Mudge
* Rex Jaeschke
* 12066042189
* Brad Goldring
* Emmanuel
* Jilayne Lovejoy
* Matija Suklje
* Nisha Kumar
* Peter Shin
* Rose Judge
* Santiago Torres
* Vicky Brasseur
* Gary O’Neall
* Mark Atwood

Topics:
* Rex/John update on 2.2.1
* GSoC
* SPDX Licensing Profile

==SPDX 2.2.1==
* Update from Rex
** 6 remaining issues
*** Will be covered in a follow-up call with Kate. Any remaining issues will be brought to the group for next week
** Question on formatting for the headings and the links
*** Jack, Kate, Thomas, Rex and John will discuss offline

==GSoC==
* coding has started

==SPDX 3.0 Licensing Profile==
* Meta issue #386 is tracking all the license profile related issues
* Consolidating issues for license profile issue #385
** Collection of fields for license
* Do we need a distributed license?
** Both Jilayne and Steve believe that concluded license can be used
*** This was the original intent of concluded license
** Thomas expressed an interest in clearly declaring a non-disjunctive license at the point of distribution
*** Different distributed licenses may be chosen for different customers
** Documentation currently doesn’t capture the disjunctive choice scenario for concluded license
** Concluded is currently used for both adding a reviewed conclusion on the license data and for the choice of disjunctive licenses
** Vicky recommended that since the tool creators are requesting it, that should weigh in to the decision.
** Brad suggested teasing apart the document creator and the artifact creator when defining distributed license
*** Kate agrees that clarity around roles is going to be needed
* General support for moving to 2 fields for every artifact DeclaredLicense and ConcludedLicense
* Use of the DistributedLicense needs more discussion
** Description of use cases for DistributedLicense
** Updated documentation for ConcludedLicense to include disjunctive choice
** Documentation on Artifact

==Next Week’s Agenda==
* 2.2.1 update
* GSoC

[[Category:Technical|Minutes]]

Technical Team/Minutes/2020-06-09

2020-06-11T23:35:21Z

K.stewart: /* Licensing Profile */

June 9, 2020
== Attendees ==
* Kate Stewart
* Jack Manbeck
* John Mudge
* Rex Jaeschke
* 12066042189
* Brad Goldring
* Emmanuel
* Jilayne Lovejoy
* Matija Suklje
* Nisha Kumar
* Peter Shin
* Rose Judge
* Santiago Torres
* Vicky Brasseur
* Gary O’Neall
* Mark Atwood

Topics:
Rex/John update on 2.2.1
GSoC
SPDX Tools

==SPDX 2.2.1==
* Update from Rex
** 6 remaining issues
*** Will be covered in a follow-up call with Kate. Any remaining issues will be brought to the group for next week
** Question on formatting for the headings and the links
*** Jack, Kate, Thomas, Rex and John will discuss offline

==GSoC==
* coding has started

==SPDX 3.0 Licensing Profile==
* Meta issue #386 is tracking all the license profile related issues
* Consolidating issues for license profile issue #385
** Collection of fields for license
* Do we need a distributed license?
** Both Jilayne and Steve believe that concluded license can be used
*** This was the original intent of concluded license
** Thomas expressed an interest in clearly declaring a non-disjunctive license at the point of distribution
*** Different distributed licenses may be chosen for different customers
** Documentation currently doesn’t capture the disjunctive choice scenario for concluded license
** Concluded is currently used for both adding a reviewed conclusion on the license data and for the choice of disjunctive licenses
** Vicky recommended that since the tool creators are requesting it, that should weigh in to the decision.
** Brad suggested teasing apart the document creator and the artifact creator when defining distributed license
*** Kate agrees that clarity around roles is going to be needed
* General support for moving to 2 fields for every artifact DeclaredLicense and ConcludedLicense
* Use of the DistributedLicense needs more discussion
** Description of use cases for DistributedLicense
** Updated documentation for ConcludedLicense to include disjunctive choice
** Documentation on Artifact

==Next Week’s Agenda==
* 2.2.1 update
* GSoC

[[Category:Technical|Minutes]]

Technical Team/Minutes/2020-06-02

2020-06-02T18:23:01Z

K.stewart: /* Next Week’s Agenda */

June 2, 2020
== Attendees ==
* Jim Hutchison
* Rex Jaeschke
* Kate Stewart
* William Bartholomew
* Gary O’Neall
* Nisha Kumar
* Steve Winslow
* John Mudge
* Takashi Ninjouji
* Peter Shin
* Rose Judge
* Thomas Steenbergen

Topics:
Rex/John update on 2.2.1
GSoC
SPDX Tools

==SPDX 2.2.1==
* Update from Rex
** Help wanted on a few issues (tagged as help needed)
** John making progress on translating code into format.
** Would like to target next week for all issues to be resolved, and put out for general review.

==GSoC==
* All mentors have met with their students
* Coding has started
* Adding a standing agenda item for the students to ask questions each meeting.

==SPDX Tools in the Repo==
* Java
** Classic Java Tools - Supports 1.2, 2.0, 2.1, 2.2(except for JSON/YAML/XML)
** New Java Tools - new repo that has API changes from classic java tools. Supports all formats of 2.2
* Python
** Need an update from Philippe on what happened to 2.1 port worked on via GSoC last summer
** Gary offered to help once we have breakdown clarified.
** Supports 1.2 today, but needs be brought up to 2.2
** Tern could use the Python library for as a validator
** Could use the community bridge mentoring program to help – Gary will follow-up on the mentoring call
* GoLang
** Currently 2.1
** Next working on 2.2
** Summer of code project to implement RDF format being incorporated
* JavaScript
** Last year's GSoC project but needs some work
** Could potentially use Kotlin as a substitute
* Kotlin
** ORT uses SPDX
** Could separate out a separate library
* License mapping
** Left off on how to map the ID’s to the aliases
** Each language can implement
** Future topic, possibly discuss in ACT.

==SPDX 3.0==
* Steve provided an overview of meta-issues
** Different projects use different terms – agreement to use Meta issue
** Suggestion to use Github template for the meta issues
*** Steve will create a template for META issues
** Consider using templates for the different profiles
* Labels
** suggest “profile licensing” - ok'd by Steve
** suggest “profile base” - ok'd by William
** suggest “profile security” - ok'd by Thomas
** Kate will add some additional profile labels
* No meta issue for security for now – will use labels
* William will look at a meta-profile

==Next Week’s Agenda==
* 2.2.1 update
* GSoC update
* License profile – joint call with legal starting at 15 minutes after the hours

[[Category:Technical|Minutes]]

Technical Team/Minutes/2020-06-02

2020-06-02T18:22:41Z

K.stewart: /* SPDX 3.0 */

June 2, 2020
== Attendees ==
* Jim Hutchison
* Rex Jaeschke
* Kate Stewart
* William Bartholomew
* Gary O’Neall
* Nisha Kumar
* Steve Winslow
* John Mudge
* Takashi Ninjouji
* Peter Shin
* Rose Judge
* Thomas Steenbergen

Topics:
Rex/John update on 2.2.1
GSoC
SPDX Tools

==SPDX 2.2.1==
* Update from Rex
** Help wanted on a few issues (tagged as help needed)
** John making progress on translating code into format.
** Would like to target next week for all issues to be resolved, and put out for general review.

==GSoC==
* All mentors have met with their students
* Coding has started
* Adding a standing agenda item for the students to ask questions each meeting.

==SPDX Tools in the Repo==
* Java
** Classic Java Tools - Supports 1.2, 2.0, 2.1, 2.2(except for JSON/YAML/XML)
** New Java Tools - new repo that has API changes from classic java tools. Supports all formats of 2.2
* Python
** Need an update from Philippe on what happened to 2.1 port worked on via GSoC last summer
** Gary offered to help once we have breakdown clarified.
** Supports 1.2 today, but needs be brought up to 2.2
** Tern could use the Python library for as a validator
** Could use the community bridge mentoring program to help – Gary will follow-up on the mentoring call
* GoLang
** Currently 2.1
** Next working on 2.2
** Summer of code project to implement RDF format being incorporated
* JavaScript
** Last year's GSoC project but needs some work
** Could potentially use Kotlin as a substitute
* Kotlin
** ORT uses SPDX
** Could separate out a separate library
* License mapping
** Left off on how to map the ID’s to the aliases
** Each language can implement
** Future topic, possibly discuss in ACT.

==SPDX 3.0==
* Steve provided an overview of meta-issues
** Different projects use different terms – agreement to use Meta issue
** Suggestion to use Github template for the meta issues
*** Steve will create a template for META issues
** Consider using templates for the different profiles
* Labels
** suggest “profile licensing” - ok'd by Steve
** suggest “profile base” - ok'd by William
** suggest “profile security” - ok'd by Thomas
** Kate will add some additional profile labels
* No meta issue for security for now – will use labels
* William will look at a meta-profile

==Next Week’s Agenda==
* 2.2.1 update
* GSoC
* License profile – joint call with legal starting at 15 minutes after the hours

[[Category:Technical|Minutes]]

Technical Team/Minutes/2020-06-02

2020-06-02T18:20:15Z

K.stewart: /* SPDX Tools in the Repo */

June 2, 2020
== Attendees ==
* Jim Hutchison
* Rex Jaeschke
* Kate Stewart
* William Bartholomew
* Gary O’Neall
* Nisha Kumar
* Steve Winslow
* John Mudge
* Takashi Ninjouji
* Peter Shin
* Rose Judge
* Thomas Steenbergen

Topics:
Rex/John update on 2.2.1
GSoC
SPDX Tools

==SPDX 2.2.1==
* Update from Rex
** Help wanted on a few issues (tagged as help needed)
** John making progress on translating code into format.
** Would like to target next week for all issues to be resolved, and put out for general review.

==GSoC==
* All mentors have met with their students
* Coding has started
* Adding a standing agenda item for the students to ask questions each meeting.

==SPDX Tools in the Repo==
* Java
** Classic Java Tools - Supports 1.2, 2.0, 2.1, 2.2(except for JSON/YAML/XML)
** New Java Tools - new repo that has API changes from classic java tools. Supports all formats of 2.2
* Python
** Need an update from Philippe on what happened to 2.1 port worked on via GSoC last summer
** Gary offered to help once we have breakdown clarified.
** Supports 1.2 today, but needs be brought up to 2.2
** Tern could use the Python library for as a validator
** Could use the community bridge mentoring program to help – Gary will follow-up on the mentoring call
* GoLang
** Currently 2.1
** Next working on 2.2
** Summer of code project to implement RDF format being incorporated
* JavaScript
** Last year's GSoC project but needs some work
** Could potentially use Kotlin as a substitute
* Kotlin
** ORT uses SPDX
** Could separate out a separate library
* License mapping
** Left off on how to map the ID’s to the aliases
** Each language can implement
** Future topic, possibly discuss in ACT.

==SPDX 3.0==
* Steve provided an overview of meta-issues
** Different projects use different terms – agreement to use Meta issue
** Suggestion to use Github template for the meta issues
*** Steve will create a template for META issues
** We could use templates for the different profiles
* Labels
** suggest “profile licensing”
** suggest “profile base”
** suggest “profile security”
** Kate will add some additional profile labels
* No meta issue for security for now – will use labels

==Next Week’s Agenda==
* 2.2.1 update
* GSoC
* License profile – joint call with legal starting at 15 minutes after the hours

[[Category:Technical|Minutes]]

Technical Team/Minutes/2020-06-02

2020-06-02T18:13:52Z

K.stewart: /* GSoC */

June 2, 2020
== Attendees ==
* Jim Hutchison
* Rex Jaeschke
* Kate Stewart
* William Bartholomew
* Gary O’Neall
* Nisha Kumar
* Steve Winslow
* John Mudge
* Takashi Ninjouji
* Peter Shin
* Rose Judge
* Thomas Steenbergen

Topics:
Rex/John update on 2.2.1
GSoC
SPDX Tools

==SPDX 2.2.1==
* Update from Rex
** Help wanted on a few issues (tagged as help needed)
** John making progress on translating code into format.
** Would like to target next week for all issues to be resolved, and put out for general review.

==GSoC==
* All mentors have met with their students
* Coding has started
* Adding a standing agenda item for the students to ask questions each meeting.

==SPDX Tools in the Repo==
* Java Classic
* Java Tools
* Python
** Need an update from Philippe
** Gary offered to help
** Needs be brought up to 2.2
** Tern could use the Python library for as a validator
** Could use the community bridge mentoring program to help – Gary will follow-up on the mentoring call
* GoLang
** Currently 2.1
** Next working on 2.2
** Summer of code project to implement RDF format
* JavaScript
** Summer of Code project but needs some work
** Could potentially use Kotlin as a substitute
* Kotlin
** ORT uses SPDX
** Could separate out a separate library
* License mapping
** Left off on how to map the ID’s to the aliases
** Each language can implement
** Future topic

==SPDX 3.0==
* Steve provided an overview of meta-issues
** Different projects use different terms – agreement to use Meta issue
** Suggestion to use Github template for the meta issues
*** Steve will create a template for META issues
** We could use templates for the different profiles
* Labels
** suggest “profile licensing”
** suggest “profile base”
** suggest “profile security”
** Kate will add some additional profile labels
* No meta issue for security for now – will use labels

==Next Week’s Agenda==
* 2.2.1 update
* GSoC
* License profile – joint call with legal starting at 15 minutes after the hours

[[Category:Technical|Minutes]]

Technical Team/Minutes/2020-06-02

2020-06-02T18:12:02Z

K.stewart: /* SPDX 2.2.1 */

June 2, 2020
== Attendees ==
* Jim Hutchison
* Rex Jaeschke
* Kate Stewart
* William Bartholomew
* Gary O’Neall
* Nisha Kumar
* Steve Winslow
* John Mudge
* Takashi Ninjouji
* Peter Shin
* Rose Judge
* Thomas Steenbergen

Topics:
Rex/John update on 2.2.1
GSoC
SPDX Tools

==SPDX 2.2.1==
* Update from Rex
** Help wanted on a few issues (tagged as help needed)
** John making progress on translating code into format.
** Would like to target next week for all issues to be resolved, and put out for general review.

==GSoC==
* Met with all the students
* coding has started

==SPDX Tools in the Repo==
* Java Classic
* Java Tools
* Python
** Need an update from Philippe
** Gary offered to help
** Needs be brought up to 2.2
** Tern could use the Python library for as a validator
** Could use the community bridge mentoring program to help – Gary will follow-up on the mentoring call
* GoLang
** Currently 2.1
** Next working on 2.2
** Summer of code project to implement RDF format
* JavaScript
** Summer of Code project but needs some work
** Could potentially use Kotlin as a substitute
* Kotlin
** ORT uses SPDX
** Could separate out a separate library
* License mapping
** Left off on how to map the ID’s to the aliases
** Each language can implement
** Future topic

==SPDX 3.0==
* Steve provided an overview of meta-issues
** Different projects use different terms – agreement to use Meta issue
** Suggestion to use Github template for the meta issues
*** Steve will create a template for META issues
** We could use templates for the different profiles
* Labels
** suggest “profile licensing”
** suggest “profile base”
** suggest “profile security”
** Kate will add some additional profile labels
* No meta issue for security for now – will use labels

==Next Week’s Agenda==
* 2.2.1 update
* GSoC
* License profile – joint call with legal starting at 15 minutes after the hours

[[Category:Technical|Minutes]]

General Meeting/Minutes/2020-05-07

2020-05-07T21:43:20Z

K.stewart: /* Outreach Team Report - Jack */

* Attendance: 19
* Lead by Phil Odence
* Minutes of April meeting

== Presentation - SPDX 2.2 Overview, Kate ==

* SPDX 2.2 is released!
* Great job team
* https://docs.google.com/presentation/d/1JGVS6vzGwueTDCBHWUNy9ItEFHZ5BwFZoUZsl7Ccxsw/edit#slide=id.p87

== Tech Team Report - Kate / Gary ==

* Spec
** See above
* Tools
** Just released java tools updating to 2.2
*** Will be separate tool for new formats and will be migrating that way in the next month or two
*** Leaner, faster, more modern
*** Python libs support new JSON today
** Maintaining full forward/backward compatibility
* GSoC
** Students will be joining
** They are getting oriented now
** Will start coding in a month

== Legal Team Report - Jilayne/Paul/Steve ==

* License List
** Release postponed to Mid-May so as not to clash with 2.2
** Another week of work on tagging remaining requests

== Outreach Team Report - Jack ==

* Twitter
** @SPDXTeam is now a Twitter handle

== Cross Functional - Steve ==

* Website
** Existing website is on Drupal
** All LF stuff moving to Wordpress
*** Some issues with auto generated pages on Wordpress
*** Critical to maintain URLs
*** Solution- License and RDF will stay at their current locations
*** New site will be spdx.dev
**** Full redirects will be in place
**** So no issues for users with migration
*** Contents has been largely maintained
**** Some cleanup of formatting and organization
*** Plan to improve content over time.

== Attendees ==

* Phil Odence, Black Duck/Synopsys
* Mark Atwood, Amazon
* Steve Winslow, LF
* Kate Stewart, Linux Foundation
* Alexios Zavras, Intel
* David Wheeler, Linux Foundation
* Gary O’Neall, SourceAuditor
* Matthew Crawford, ARM
* Jack Manbeck, TI
* Bradlee Edmondson, Harvard
* Hal Hearst, Synopsys
* Anisha Srivastava, Student
* Takashi Ninjouji, Toshiba
* Paul Madick
* Brad Goldring, GTC Law
* William Bartholomew, GitHub
* Jilayne Lovejoy, Canonical
* Matije Suklje, Liferay
* Philippe Ombrédanne- nexB

[[Category:General|Minutes]]
[[Category:Minutes]]

General Meeting/Minutes/2020-05-07

2020-05-07T21:41:58Z

K.stewart: /* Presentation - SPDX 2.2 Overview, Kate */

* Attendance: 19
* Lead by Phil Odence
* Minutes of April meeting

== Presentation - SPDX 2.2 Overview, Kate ==

* SPDX 2.2 is released!
* Great job team
* https://docs.google.com/presentation/d/1JGVS6vzGwueTDCBHWUNy9ItEFHZ5BwFZoUZsl7Ccxsw/edit#slide=id.p87

== Tech Team Report - Kate / Gary ==

* Spec
** See above
* Tools
** Just released java tools updating to 2.2
*** Will be separate tool for new formats and will be migrating that way in the next month or two
*** Leaner, faster, more modern
*** Python libs support new JSON today
** Maintaining full forward/backward compatibility
* GSoC
** Students will be joining
** They are getting oriented now
** Will start coding in a month

== Legal Team Report - Jilayne/Paul/Steve ==

* License List
** Release postponed to Mid-May so as not to clash with 2.2
** Another week of work on tagging remaining requests

== Outreach Team Report - Jack ==

* Twitter
** SPDX Tools is no a Twitter handle

== Cross Functional - Steve ==

* Website
** Existing website is on Drupal
** All LF stuff moving to Wordpress
*** Some issues with auto generated pages on Wordpress
*** Critical to maintain URLs
*** Solution- License and RDF will stay at their current locations
*** New site will be spdx.dev
**** Full redirects will be in place
**** So no issues for users with migration
*** Contents has been largely maintained
**** Some cleanup of formatting and organization
*** Plan to improve content over time.

== Attendees ==

* Phil Odence, Black Duck/Synopsys
* Mark Atwood, Amazon
* Steve Winslow, LF
* Kate Stewart, Linux Foundation
* Alexios Zavras, Intel
* David Wheeler, Linux Foundation
* Gary O’Neall, SourceAuditor
* Matthew Crawford, ARM
* Jack Manbeck, TI
* Bradlee Edmondson, Harvard
* Hal Hearst, Synopsys
* Anisha Srivastava, Student
* Takashi Ninjouji, Toshiba
* Paul Madick
* Brad Goldring, GTC Law
* William Bartholomew, GitHub
* Jilayne Lovejoy, Canonical
* Matije Suklje, Liferay
* Philippe Ombrédanne- nexB

[[Category:General|Minutes]]
[[Category:Minutes]]

General Meeting/Minutes/2020-04-02

2020-04-03T11:43:44Z

K.stewart: /* Tech Team Report - Kate */

* Attendance: 19
* Lead by Phil Odence
* Minutes of April meeting

== Guest Speaker- Allan Friedman, NTIA ==

* NTIA’s Multistakeholder SBOM Process
** Concerns about software supply chain risks have garnered more attention and energy in the OSS community, industry, and governments around the world. One natural starting point is a greater expectation of transparency of software components and dependencies. Any solution must scale up and down the software supply chain, and across the incredibly diverse software ecosystem, from modern CI/CD application development to critical infrastructure and embedded systems. Over the past two years, NTIA has helped a diverse set of stakeholders find a common vision for a "software bill of materials" (SBOM) that has the potential to scale as needed, and serve as a foundation for even more innovation around software supply chain security and quality. The SPDX community has played a key role in this discussion, and emerged as a key standard. This presentation will give an overview of the policy landscape, the progress made, and the work yet to be done around SBOM.
** Allan’s slides https://drive.google.com/open?id=1KOsm6grnSZ5FsSnzTI9ybYT9m84F8Zfe

== Tech Team Report - Gary & Kate ==

* Spec
** Wrapping up 2.2 spec
*** NTIA's request for mechanism to illustrate Known unknowns made it in
** 3.0 Visions
*** William Bartholomew’s talk about profiles was great (recorded)
*** Santiago talk about linking artifacts and signing helped clarify a lot of misconceptions (recorded)
* Tools
** Gary’s been working on 2.2 tooling
*** Working on a complete rewrite to the java tools to support multiple formats
** Google SoC
*** 15 different submissions
*** Google is looking for additional mentors on each project
*** So, we need more mentors; contact Gary

== Legal Team Report - Steve ==

* Finalized updates to license inclusion principles
** Mostly clarifications
** But also to broaden a bit for non-OSS source available licenses
** https://github.com/spdx/license-list-XML/blob/master/DOCS/license-inclusion-principles.md
* 3.9 list release has been pushed out a bit
** Were waiting for above
** https://github.com/spdx/license-list-XML/issues?q=is%3Aopen+is%3Aissue+milestone%3A%223.9+release%22
* In anticipation of 3.0 working on a licensing profile
* With Tech Team, updating back end of SPDX website to manage move from Drupal to Wordpress
** Maintaining license URLs
** Static pages moving do a different domain.

== Outreach Team Report - Jack ==

* Will be looking for help to update content for Website as per above
* Documenting comprehensive list of SPDX-related tooling

== Cross Functional - ==

* None

== Attendees ==

* Phil Odence, Black Duck/Synopsys
* Alan Friedman, NTIA
* Rose Judge, VMware
* Steve Winslow, LF
* Kate Stewart, Linux Foundation
* Alexios Zavras, Intel
* Jack Manbeck, TI
* Jim Hutchison, Qualcomm
* William Bartholomew, GitHub
* Dave McLoughlin, Flexera
* Michael Herzog- nexB
* Alex Rybak, Flexera
* Gary O’Neall, SourceAuditor
* Paul Madick
* Brad Goldring, GTC Law
* David Wheeler, Linux Foundation
* Mike Dolan, Linux Foundation
* Bob Campbell, DXC
* Mark Atwood, Amazon

[[Category:General|Minutes]]
[[Category:Minutes]]

GSOC/GSOC ProjectIdeas

2020-03-24T00:15:25Z

K.stewart: Add new project

'''Welcome to the 2020 SPDX Google Summer of Code Project Page'''

See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.

Should you have questions please do not hesitate to contact one of the mentors directly.

 

__TOC__

 

== What is SPDX ? ==

First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.

As part of this effort we have developed a set of collateral that can be used:

* [https://spdx.org/using-spdx License List and Short Identifiers]
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Documents in multiple formats]
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]
* [https://spdx.org/using-spdx License Identifiers in source]

== Why choose an SPDX Project? ==

Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.

 

= Getting Involved =

Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .

== Resources ==

* [http://spdx.org SPDX website]
* [https://spdx.org/specifications SPDX Specification]
* [https://spdx.org/tools SPDX Workgroup Tools webpage]
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]

=Proposed 2020 Projects=

Mentors: please fill out the following template for any projects you wish to propose.

=== Project Name ===
add overview of project here
====Skills Needed====
what skills should the student have to do the coding exercises
====Background Information====
context for the project and references to be studied
====Available Mentors====
list individuals who are willing to mentor and provide information about the project proposal.

(The projects from last year can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).

==SPDX Workgroup Tooling Projects==
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.

===Implement SPDX License Matching in Python===
Implement as much of the SPDX License Matching Guidelines as practical in Python. This could replace the current Java implementation for the [http://13.57.134.254/app/check_license/ Check License] SPDX Online license checking tool.

Following is a list of suggested features:
* Provide an interface which will check text against a license template using the license matching guidelines
* Provide an interface which will check text and return all matching SPDX listed license ID's
* Provide an interface which takes 2 license texts as input and returns a boolean indicating if the 2 licenses match per the license matching guidelines
* When there is not a match, provide a return value making it possible to describe where and why the license does not match

====Background Information====
* See the [https://spdx.org/spdx-license-list/matching-guidelines SPDX License Matching Guidelines] for a description of the guidelines
* A technical description of the templates and license matching can be found in [https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe Appendix II] of the SPDX specification
* A Java implementation can be found in Github [https://github.com/spdx/tools/blob/master/src/org/spdx/compare/LicenseCompareHelper.java SPDX Tools LicenseCompareHelper.java]
* It's harder than you may think - the template language is a challenge to implement. Performance can be a challenge when matching a single text against hundreds of potential licenses. Reporting back where the missmatch occurs can also be a challenge.

====Skills Needed====
* Development skills in the Python
* Skills in parsing and pattern matching
* Ability to work with the community in integrating results with other projects

====Available Mentors====
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]

=== Generate Java SPDX Model Classes from XML XSD file ===
In SPDX 3.0, we will be generating an XML XSD schema to define the model. This project idea is to use the XSD schema to generate a set of Java classes which represent the complete SPDX model. The generated classes would be used as part of a re-designed Java tool for SPDX.

====Skills Needed====
* Java programming skills
* XML/XSD skills
* Skills in code generation practices
* Ability to work with the community in integrating results with other projects

====Background Information====
* A proposed XSD for SPDX can be found on [https://github.com/mil-oss/spdx-xsd github]. Note: This is a very early proposal and would likely change significantly.
* Current Java tools can be found on [https://github.com/spdx/tools SPDX Tools github page]
* A rewrite of the Java tools is in progress. The in progress work can be found at the [https://github.com/goneall/Spdx-Java-Library Spdx-Java-Library] github page.

====Available Mentors====
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]

=== Validate License Cross-References ===
Enhance the SPDX LicenseListPublisher to validate the cross reference / seeAlso URL's for the license. One check would be to validate the link is still valid. This would need to be done in a way that has reasonably good performance (e.g. a long timeout would not work). Another check would be to identify the license text in the linked URL and compare it to the license text for the license itself to make sure they match. If either of these tests fail, a validity attribute should be added to the license output files (e.g. the license JSON files).

====Skills Needed====
* Java programming skills
* XML/XSD skills
* HTML parsing skills
* Ability to work with the community in integrating results with other projects

====Background Information====
The [https://spdx.org/licenses/ SPDX license list] is generated from a [https://github.com/spdx/license-list-XML git repository of XML files]. One of the fields maintained in the XML is the crossRef which is a URL cross reference for the license which may be valid or it may also be a "dead link". The [https://github.com/spdx/LicenseListPublisher LicenseListPublisher] is the tool that generates the web pages and the output formats. The output formats can be found in the [https://github.com/spdx/license-list-data SPDX license list data] git repository. [https://github.com/spdx/LicenseListPublisher/issues/60#issuecomment-570511697 Issue #60] for the LicenseListPublisher describes a request to include validity attribute.

Over the summer, we may be adding the XML format to the supported output data formats in the license list data repo.

====Available Mentors====
[mailto:gary@sourceauditor.com Gary O'Neall]

=== Improve SPDX Golang tooling ===
The goal of this GSoC project would be to add support in the [https://github.com/spdx/tools-golang SPDX Golang tools] for SPDX documents in versions of the SPDX spec other than 2.1, including the upcoming 2.2 spec release which will add JSON, YAML and XML to the supported formats. Other work may include improving the validation and data model used by the Golang tools.

====Skills Needed====
* Go programming skills
* Experience with JSON and YAML (XML a plus)
* Ability to interpret and implement the SPDX specification and related community documentation
* Ability to work with the community in integrating results with other projects
* Willingness to learn about open source licensing and related technical matters

====Background Information====
The [https://github.com/spdx/tools-golang SPDX Golang tools] were initially designed to work with SPDX documents in tag-value format, for version 2.1 of [https://spdx.org/specifications the SPDX specification]. Currently it does not support earlier versions of the SPDX specification. Also, [https://github.com/spdx/spdx-spec/milestone/2 the upcoming 2.2 spec release], in addition to new data fields, will also add support for SPDX documents in JSON, YAML and XML formats. The Golang tools should (at a minimum) be updated to enable reading and writing in JSON and YAML.

The SPDX Golang tools currently do some validation when reading and parsing SPDX documents, but they do not currently do much validation of the content itself. For example, license fields are represented as strings, but the tools do not currently check to confirm that e.g. the license identifiers are valid SPDX license expressions. Additional validation support to improve this would be beneficial.

Additionally, the [https://github.com/spdx/tools-golang/tree/master/spdx data model used internally by the SPDX tools] to represent SPDX content is different in some ways from the data model used by other tools (e.g. [https://github.com/spdx/tools/tree/master/src/org/spdx/rdfparser/model Java], [https://github.com/spdx/tools-python/tree/master/spdx Python]). One goal for this project might be to evaluate the choices made by those other tools, and consider whether the Golang tools' data model should change to align with those.

====Available Mentors====
[mailto:swinslow@linuxfoundation.org Steve Winslow]

=== GoLang Parallel RDF Parser ===
Implement a high performance RDF parser for GoLang to support the SPDX RDF/XML format parsing and production.

====Skills Needed====
* GoLang programming skills
* Knowledge of RDF
* Knowledge of parsing algorithms

====Background Information====
As of now, there are very few known libraries in GoLang which support RDF-Parsing and are Licensed to use with an open-source project. One of them is [https://godoc.org/github.com/knakk/rdf](knakk/rdf2go). This library uses the RDF serialization format. All the current projects claiming to parse RDF files have implemented it in a linear fashion(line by line parsing) making it a repetitive and time-consuming process. This project will aim to chunk the RDF files into appropriate blocks and parse them simultaneously to reduce the effective time required to parse the entire document. The parser must conform to the SPDX-2.x version standards and have proper tests for each procedure.

This project could be included as part of a larger project which includes other fixes to the GoLang tools (see the Improve GoLang tooling project idea above).
====Available Mentors====
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]

=== SPDX Plugins for Package Managers ===
Create a native plug-in or extension to a well-known package manager to generate valid SPDX documents based on the information provided in the build metadata files. Examples of package managers include Node Package Manager (NPM), Gradle, Rust Cargo, Ruby Gems, Python pip, and Cocoa Pods. A plugin for Maven has already been developed and can be used as an example.

The plugin should generate a valid SPDX document with minimal configuration required by the user.
====Skills Needed====
* Programming languages skills will depend on the package manager (e.g. Ruby for Ruby Gems, JavaScript for NPM)
* Knowledge of package managers and build processes
* Skills in parsing and pattern matching
* Ability to work with the community in integrating results with other projects
====Background Information====
SPDX produces a standard Bill of Materials for software containing package and license information. Package managers collect and manage much of the data needed to produce an SPDX document. Automatically generating SPDX documents in package managers will greatly increase the efficiency and adoption of SPDX.

The [Maven Plugin]( https://github.com/spdx/spdx-maven-plugin) is a prototype plugin developed for the Maven build system. It can be used as an example for creating plugins for other build environments.
====Available Mentors====
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:kstewart@linuxfoundation.org Kate Stewart]

==SPDX Specification Projects==
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.

=== SPDX Specification Views for legal counsels and developers ===
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.
====Skills Needed====
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX
====Background Information====
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions
====Available Mentors====
[mailto:swinslow@linuxfoundation.org Steve Winslow]
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]

=== ClearlyDefined exporting and importing SPDX documents ===
The goal of this GSoC project would be to add support in the [https://https://github.com/clearlydefined ClearlyDefined project] to export curated data into SPDX 2.2 documents. Once that is accomplished, being able to import SPDX documents into the curated database would be the next step.

====Skills Needed====
* Experience with JSON and YAML (XML a plus)
* Ability to interpret and implement the SPDX specification and related ClearlyDefined community documentation
* Ability to work with the community in integrating results with other projects
* Willingness to learn about open source licensing and related technical matters

====Background Information====
Export a ClearlyDefined workspace as a SPDX document:
* user to navigate to https://clearlydefined.io/workspace
* Add one or more components to the workspace through any of the existing means,
* then click Share, and then slick SPDX (choice of 2.2 supported output formats).
which would result in an SPDX document is exported containing all of the components that were in the workspace.
Note: If there is mandatory information required by SPDX that ClearlyDefined does not have we will need to determine how to accommodate that.

To populate a workspace from a SPDX document:
* user to navigate to https://clearlydefined.io/workspace
* drag a SPDX document into the workspace and then all of the components in the SPDX document are added to the workspace.

There are some discrepancies between the content in ClearlyDefined and that SPDX documents, so work would be needed with both communities to figure out: what to do if license information in the SPDX disagrees with what ClearlyDefined has and how to handle pending curations?

====Available Mentors====
[mailto:kstewart@linuxfoundation.org Kate Stewart]
[mailto:IAMWILLBAR@github.com William Bartholomew]

GSOC/GSOC ProjectIdeas

2020-01-10T21:19:44Z

K.stewart: Update page in prep for submitting to 2020

Technical Team/Minutes/2019-12-03

2019-12-03T19:44:42Z

K.stewart: Add some comments from start, and couple of tweaks.

December 3, 2019
== Attendees ==
* Gary O’Neall
* Alexios Zavras
* Kate Stewart
* Jim Hutchinson
* Steve Winslow
* Matthew Crawford
* William Bartholomew
* Alan Tse
* Mark Atwood
* Rose Judge
* Nisha Kumar
* Philippe Ombredanne
* Thomas Steenbergen
* Brad Edmondston

==Other Initiatives Discussion==
* Nisha attended Kubecon and remarked on seeing lots of interest in SBOM's in the container space, but folks not sure where to engage.
* Multiple efforts underway, OCI, CNCF/InToto, CDF Security Sig/OMG SBOM working group, NTIA - each has own perspective

==3.0 Model==
* Proposed update from William
* Came out of feedback from OMG workgroup, which looked at approach from Framing group from NTIA (see www.ntia.gov/SBOM)
* Feedback on current model:
** Exclusively focused on licensing and IP
** Not very approachable
* Different profiles for the different usages (e.g. IP, Security)
* Feedback: Change “Intellection Property” to “Licensing” for profile name
* Tooling – do we need to support all profiles?
** SPDX focused on syntax
** Producers and consumers have policies on what profiles are supported
* Discussion on Relationship – issue has already been added
* Discussion on FilesAnalyzed – William will add an issue to track

==SPDX Document License==
* We didn’t have a quorum to discuss completely
* Steve and Jilyane are researching the reasons for the mandatory DataLicense: CC0-1.0 declaration currently in use
* Request that those who would like it changed to document the reasons
* Philippe suggested that for some use cases where there is a contract in place between the supplier and consumer, the license for the SPDX document be in the license and not the document itself
* Steve will open an issue to track

==Joint Legal/Tech calls==
* Settle on start of new year, Steve to put out a calendar invite.

[[Category:Technical|Minutes]]
[[Category:Minutes]]

Technical Team/Minutes/2019-12-03

2019-12-03T19:38:33Z

K.stewart: /* Attendees */ add 2 attendees missed in original list.

December 3, 2019
== Attendees ==
* Gary O’Neall
* Alexios Zavras
* Kate Stewart
* Jim Hutchinson
* Steve Winslow
* Matthew Crawford
* William Bartholomew
* Alan Tse
* Mark Atwood
* Rose Judge
* Nisha Kumar
* Philippe Ombredanne
* Thomas Steenbergen
* Brad Edmondston

==3.0 Model==
* Proposed update from William
* Came out of feedback from OMG group
* Feedback on current model:
** Exclusively focused on licensing and IP
** Not very approachable
* Different profiles for the different usages (e.g. IP, Security)
* Feedback: Change “Intellection Property” to “Licensing” for profile name
* Tooling – do we need to support all profiles?
** SPDX focused on syntax
** Producers and consumers have policies on what profiles are supported
* Discussion on Relationship – issue has already been added
* Discussion on FilesAnalyzed – William will add an issue to track

==SPDX Document License==
* We didn’t have a quorum to discuss completely
* Steve and Jilyane are researching the reasons for the mandatory DataLicense: CC0-1.0 declaration currently in use
* Request that those who would like it changed to document the reasons
* Philippe suggested that for some use cases where there is a contract in place between the supplier and consumer, the license for the SPDX document be in the license and not the document itself
* Steve will open an issue to track

[[Category:Technical|Minutes]]
[[Category:Minutes]]

General Meeting/Minutes/2019-08-01

2019-08-01T19:31:46Z

K.stewart: /* Outreach Team Report - Kate */ - action item agreed to in meeting dropped off. Adding it back.

* Attendance: 11
* Lead by Phil Odence
* Minutes of July meeting approved

== Special Presentations - Umang Taneja, Tanjong Smith, GSoC ==

* Umang
** License submittal workflow automation
*** Aim is to enhance user experience
*** Compare submitted text against existing licenses to see if there’s duplication or close match
*** Problems he’s trying address
**** What if the license is on the list, proposed, rejected…or a close match to one of those
**** Current XML formatting- word-wrap doesn’t match license
*** Also creating/documenting an API
** Tasks:
*** Create API- use without logging in, so can be accessed by other tools
*** Create License Matcher- looks for exact and close matches
**** Returns all matches and close matches
*** Compare with not accepted as well as rejected licenses.
**** Reports appropriately according to match
**** Relies on user input regarding whether to go ahead with submittal
*** Improve formatting of generated license
** Screenshots available at: https://docs.google.com/document/d/1NMcLZVXxBV2PZobPJh1OugbCfC2d8kbAOX4m4TauEYk/edit?usp=sharing
** Some discussion of how the workflow should work with close matches
** Aiming for demo in future Legal Team meeting

* Tanjong
** License namespace
*** A way to name valid licenses outside of the License List
*** Created namespace and UI
*** Also a mechanism for turning into a license request
*** Took feedback from the joint/legal team meeting

== Tech Team Report - Kate/Gary ==

* Spec
** Progress on Appendix for including other fields in the source like the license ID
*** Worked with Legal team members and general agreement to keep scope at file level
*** Recommend using existing Tags with SPDX prefix, and expectation that format follows fields.
*** Motivation is that this makes it easier for tools to pick up data accurately from source.
** SPDX document generation from project sources (demo'd last month)
*** Philip is looking for projects to try the tool on, if you have some you want to experiment with, please contact him.
* Tools
** GSoC
*** Continues to go very well
*** All students passed second evaluation
** Looking for feedback from community:
*** License matching algorithm approaches
**** Some encoded rules
**** Some depended on XML markup
**** Should we encode in XML or handle programmatically? (Discuss with Gary)

== Legal Team Report - Jilayne/Paul/Steve ==

* License List
** 3.6 version went out last month
** Working issues in 3.7
*** Good input/support from Tech Team
** Recent meetings have been joint with Tech Team
*** Very helpful at this point

== Outreach Team Report - Kate ==

* Shane has readied the survey
* Phil to reach out to Shane and Jack and determine deployment plan.

== Cross Functional - ==

* None

== Attendees ==

* Phil Odence, Black Duck/Synopsys
* Matthew Crawford, ARM
* Umang Taneja, GSoC
* Tanjong Smith, GSoC
* Steve Winslow, LF
* Gary O’Neall, SourceAuditor
* Kate Stewart, Linux Foundation
* Paul Madick, Dimension Data
* Mark Atwood, Amazon
* Jilayne Lovejoy, Canonical
* Jack Manbeck, TI

[[Category:General|Minutes]]
[[Category:Minutes]]

General Meeting/Minutes/2019-08-01

2019-08-01T19:30:48Z

K.stewart: /* Tech Team Report - Kate/Gary */ clarify a couple of points.

* Attendance: 11
* Lead by Phil Odence
* Minutes of July meeting approved

== Special Presentations - Umang Taneja, Tanjong Smith, GSoC ==

* Umang
** License submittal workflow automation
*** Aim is to enhance user experience
*** Compare submitted text against existing licenses to see if there’s duplication or close match
*** Problems he’s trying address
**** What if the license is on the list, proposed, rejected…or a close match to one of those
**** Current XML formatting- word-wrap doesn’t match license
*** Also creating/documenting an API
** Tasks:
*** Create API- use without logging in, so can be accessed by other tools
*** Create License Matcher- looks for exact and close matches
**** Returns all matches and close matches
*** Compare with not accepted as well as rejected licenses.
**** Reports appropriately according to match
**** Relies on user input regarding whether to go ahead with submittal
*** Improve formatting of generated license
** Screenshots available at: https://docs.google.com/document/d/1NMcLZVXxBV2PZobPJh1OugbCfC2d8kbAOX4m4TauEYk/edit?usp=sharing
** Some discussion of how the workflow should work with close matches
** Aiming for demo in future Legal Team meeting

* Tanjong
** License namespace
*** A way to name valid licenses outside of the License List
*** Created namespace and UI
*** Also a mechanism for turning into a license request
*** Took feedback from the joint/legal team meeting

== Tech Team Report - Kate/Gary ==

* Spec
** Progress on Appendix for including other fields in the source like the license ID
*** Worked with Legal team members and general agreement to keep scope at file level
*** Recommend using existing Tags with SPDX prefix, and expectation that format follows fields.
*** Motivation is that this makes it easier for tools to pick up data accurately from source.
** SPDX document generation from project sources (demo'd last month)
*** Philip is looking for projects to try the tool on, if you have some you want to experiment with, please contact him.
* Tools
** GSoC
*** Continues to go very well
*** All students passed second evaluation
** Looking for feedback from community:
*** License matching algorithm approaches
**** Some encoded rules
**** Some depended on XML markup
**** Should we encode in XML or handle programmatically? (Discuss with Gary)

== Legal Team Report - Jilayne/Paul/Steve ==

* License List
** 3.6 version went out last month
** Working issues in 3.7
*** Good input/support from Tech Team
** Recent meetings have been joint with Tech Team
*** Very helpful at this point

== Outreach Team Report - Kate ==

* Shane has readied the survey

== Cross Functional - ==

* None

== Attendees ==

* Phil Odence, Black Duck/Synopsys
* Matthew Crawford, ARM
* Umang Taneja, GSoC
* Tanjong Smith, GSoC
* Steve Winslow, LF
* Gary O’Neall, SourceAuditor
* Kate Stewart, Linux Foundation
* Paul Madick, Dimension Data
* Mark Atwood, Amazon
* Jilayne Lovejoy, Canonical
* Jack Manbeck, TI

[[Category:General|Minutes]]
[[Category:Minutes]]

Technical Team

2019-05-07T13:26:08Z

K.stewart: update weekly contact info to new Zoom site.

This is the working area for the technical team. This team has primary responsibility for drafting the specification and developing documentation, templates, samples and tools.

The Technical Team meets weekly on

Tuesdays at 17:00 UTC (and best guess for local time - 10:00AM PDT, 11:00 MDT, 12:00PM CDT, 1:00PM EDT, 18:00 WAT, 19:00 CEST).
Australia +61 2 8015 2088
Canada +1 647 558 0588
Germany +49 30 3080 6188
Japan +81 3 4578 1488
US Toll-free 877 369 0926
Find your local number: https://zoom.us/u/ac9KKJWzJT

Meeting ID: 663 426 859

Screenshare:
https://zoom.us/j/663426859

* [[Technical_Team/SPDX_Upcoming_Meetings|SPDX Upcoming Meeting Agenda]]
* [[Technical_Team/SPDX_Specification_Versions|SPDX Specification Versions]]
* [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms|SPDX RDF Vocabularies and Terms]]
* [[Technical_Team/Minutes|Meeting Minutes for the Technical Team]]
* [[Technical_Team/Priorities|Current Priorities and Work in Progress for the Technical Team]]
* [[Technical_Team/Old|Older Items for the Technical Team]]
* [[Technical_Team/Field_Names|Field Names]]
* [[Technical_Team/Spreadsheet_Template|Spreadsheet Template]]

[[Category:Technical]] [[Category:TestCategory]]

General Meeting/Minutes/2019-02-07

2019-02-07T17:33:12Z

K.stewart: update to add links to /* Tech Team Report - Kate/Gary */

* Attendance: 10
* Lead by Phil Odence
* Minutes of Jan meeting approved

== Tech Team Report - Kate/Gary ==

* Tools
** Applying to participate in GSoC for 2019
*** Variety of proposals on Wiki: https://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeas
*** We’ll hear back end of Feb 26 if we are selected.
** tools-golang
*** Steve Winslow has contributed new Go libraries to SPDX to support generating SPDX documents see: https://github.com/spdx/tools-golang
*** He also created a tool to scan the kernel looking for SPDXIDs that Kate used for her talk at LCA to get latest status of the Kernel.
*** Go Steve!
* Specification
** Discussing Mark Atwood's Idea for alternative name spaces for companies licenses that are not open source.
*** Spec can handle via "LicenseRef-"
*** What guidance do we provide?
** Unblocking contributions to 2.2
*** Kate is working with Thomas to unblock contributions to 2.2 (switch master over to 2.2 from 2.1.1)
*** We will be starting to take pull requests into 2.2 spec, for features approved, please assign issue to yourself if you want to write up the feature.
*** Focus for next few months
* Started a tech call in Asia friendly time
** Call will be on 2nd Tuesday of each month 10am Japan/12pm Australia (and 5pm PST Monday) on https://www.uberconference.com/SPDXTeam
** First topic will be SPDX-lite discussion that's started in the OpenChain workgroup.

== Legal Team Report - Jilayne ==

* License List
** New process and links posted
*** Published policy says advocates need to stay engaged or requests may drop off the radar
*** GitHub process seems like a great way to handle requests
** Need work outside the call

== Outreach Team Report - Jack ==

* LinuxCon Aussie Presentation
** Included Stat1/3 of files in Kernel have SPDX in them
** Great momentum
* Panel at FOSDEM on OSS Compliance tooling
** Alexios attended
*** Lots or proposals on tools, so organizers turned into a panel w/ Bradley K moderating
*** Theme was need for interoperatblity
** Video will be published
** Alexios also mentioned that at recent copyleft conference, SPDX came up in every talk
* Website
** Looking into status of move to Wordpress with LF
** Request a new license page has been directed to GitHub repo
* Need an Outreach reboot

== Cross Functions ==

* Alternate name space
** Basics
*** Many companies have source available non-OSS licenses
*** Would be good for companies to be able to have standard local names
** Proposal is to use DNS
*** Addresses issues with flat, first come first served
*** DNS will be around for a long time
*** Allows companies to self-assign
*** Internationalized by default
*** Immediately readable
*** Leading dot clearly differentiates from SPDX standard names
*** Challenges
**** Doesn’t cary text
**** Companies’ names may change through M&A and may lose domains in the process
**** How to ensure that a company doesn’t change license text
** Sentiment is in favor of
*** Retain “License Ref” prefix
*** Standardize on place to log license data
*** In a one-license SPDX doc
*** Mark will mock up with one of the Amazon licenses, collaborating with Kate

== Attendees ==

* Phil Odence, Black Duck/Synopsys
* Kate Stewart, Linux Foundation
* Mark Atwood, Amazon
* Jilayne Lovejoy
* Gary O’Neall, SourceAuditor
* Dennis Clark, NexB
* Alexios Zavras, Intel
* Jack Manbeck, TI
* Mark Baushke, Juniper
* David Ryan

[[Category:General|Minutes]]
[[Category:Minutes]]

GSOC/GSOC ProjectIdeas

2019-02-05T01:41:08Z

K.stewart: /* SPDX Specification Projects */

'''Welcome to the 2019 SPDX Google Summer of Code Project Page'''

See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.

Should you have questions please do not hesitate to contact one of the mentors directly.

 

__TOC__

 

== What is SPDX ? ==

First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.

As part of this effort we have developed a set of collateral that can be used:

* [https://spdx.org/using-spdx License List and Short Identifiers]
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Doucments in either RDF or Tag/Value format]
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]
* [https://spdx.org/using-spdx License Identifiers in source]

== Why choose an SPDX Project? ==

Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.

 

= Getting Involved =

Beyond working wth your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list (see resources). There is however a weekly call you could join as well. All of the daily work for the Tech team is done on this wiki.

== Resources ==

* [http://spdx.org SPDX website]
* [https://spdx.org/specifications SPDX Specification]
* [https://spdx.org/tools SPDX Workgroup Tools webpage]
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]

=SPDX Workgroup Tooling Projects=
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX and increase the accuracy of the SPDX documents.

==Enhanced Workflow for Online License Request==
Update the SPDX Online Tools license submit feature to support the following workflow:
* License submit can be initiated directly from the UI or through an external application (e.g. the [https://github.com/spdx/spdx-license-diff SPDX License Diff browser plugin]) using a documented API
* License text is compared to the currently approved license list
** If matched, the SPDX ID is returned and the user is informed that the license already exists
* License is compared to all submitted yet not approved licenses
** If matched, the user is informed the license is already submitted and is provided a link to the [https://github.com/spdx/license-list-XML/issues License List XML issue]
* License is compared to all submitted and rejected licenses
** If a match is found, the user is provided a link to the [https://github.com/spdx/license-list-XML/issues License List XML issue]
* License is compared to the existing license list using an algorithm which finds close matches (SPDX License Diff is an example)
** If an existing license is close, a diff view will show the word differences
** The user is presented with a choice of adding an issue for the nearly matching license stating that the license should match
*** If the user chooses to add the issue, the license text will be added to the issue requesting a change to the license XML to allow the match
*** We could also implement suggested XML markup (e.g. alt or optional text) to make the licenses match - NOTE: This may be a technically challenging feature to implement
* If the user wants to submit a new license request, the information is captured and processed by the SPDX legal team through [https://github.com/spdx/license-list-XML GitHub]

====Skills Needed====
* Development skills in the Python language
* Experience with parser development
* Experience proposing spec changes
* Understanding of Github API's
* Experience in XML parsing

====Background Information====
The SPDX legal team uses an online request process for new license requests. This feature was implemented by a GSoC student in 2018. Extending the functionality to check for duplicate requests and checking for near matches would greatly improve the efficiency of the license request and approval process.

This project would require significant interaction with the users of the tool (the SPDX legal team) and would have some interesting technical challenges in storing and matching text. The optional feature of suggesting XML markup for near matches could involve sophisticated matching techniques to find the appropriate text to include as optional or alternate.

The current SPDX license list request process is documented in the [https://github.com/spdx/license-list-XML/blob/master/CONTRIBUTING.md License List XML contributing page].

====Available Mentors====
[mailto:gary@sourceauditor.com Gary O'Neall]

==Update Parser Libraries for Golang ==
Update one of the SPDX Golang libraries to the SPDX 2.1 specification. The current implementation in the [https://github.com/spdx/tools-go SPDX git repository] was built for use with version 1.2 of the SPDX specification; the current specification is now at version 2.1, and is a major upgrade from 1.2 including support for relationships between SPDX documents and SPDX elements.
====Skills Needed====
* Development skills in the Golang language
* Experience with parser development
* Understanding of RDF and XML
====Background Information====
SPDX currently provides libraries supporting the reading and writing of SPDX document.

A rewrite of the Golang tools for SPDX 2.1 is in process at [https://github.com/swinslow/spdx-go github.com/swinslow/spdx-go], but does not yet support RDF. The libraries should support both RDF/XML import/export as well as tag/value import/export. The tools should also support newer formats such as JSON and YAML as the SPDX definition for those formats continues to be established.

====Available Mentors====
[mailto:swinslow@linuxfoundation.org Steve Winslow]
[mailto:gary@sourceauditor.com Gary O'Neall]

==Additional Format Support for the Python Libraries==
Add the ability to read and write XML, JSON, and YAML formats of the SPDX documents.

====Skills Needed====
* Development skills in the Python language
* Experience with parser development
* Understanding of XML, JSON and YAML

====Background Information====
SPDX 2.1 specification supports reading and writing RDF/XML and a tag/value format for SPDX documents. Version 2.2 of the specification will add support for XML, JSON and YAML. The Python libraries currently support reading and writing the RDF/XML and tag/value. This project would extend the parsing and file generation capabilities of the python libraries to include XML, JSON and YAML format.

The current python libraries are in the [[https://github.com/spdx/tools-python SPDX python tools git repository]]

====Available Mentors====
[mailto:tetechris20@gmail.com Krys Nuvadga], [mailto:gary@sourceauditor.com Gary O'Neall]

== Port SPDX license expression library to Ruby, JavaScript and Java==
The [[https://github.com/nexB/license-expression/]|licens_expressionlibrary]] provides comprehensive support license expression using a boolean engine for Python.
The goal of this project is to port and/or package this library for JavaScript, Ruby and Java, considering either code conversion tools, alternative Python implementations (e.g. Jython) or calling Python from another language to bring the same features to these other languages.
====Skills Needed====
* Development skills in Python, Java, Ruby, JavaScript.

====Background Information====
See https://github.com/spdx/tools-python/issues/10 and https://github.com/nexB/license-expression/
====Available Mentors====
[mailto:pombredanne@nexb.com Philippe Ombredanne]

=SPDX Specification Projects=
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.

== SPDX Specification in PDF ==
Generate a version of the specification in PDF based on the markdown version in the SPDX specification repository
====Skills Needed====
* Understanding of documentation tooling
* Familiarity with GIT and github API's

====Background Information====
The [https://spdx.org/specifications 2.1 SPDX specification] has been moved to markdown on at https://github.com/spdx/spdx-spec
and now generates an HTML version at: https://spdx.github.io/spdx-spec

We need to find an approach to generate PDF (potential approach to consider at https://github.com/tombensve/MarkdownDoc)

====Available Mentors====
[mailto:kstewart@linuxfoundation.org Kate Stewart]
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]

== SPDX Specification Views for legal counsels and developers ==
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.
====Skills Needed====
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX
====Background Information====
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions
====Available Mentors====
[mailto:swinslow@linuxfoundation.org Steve Winslow]
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]

== SPDX Document Generator for projects using SPDXIDs ==
As more projects start to use SPDXIDs at the file level it becomes much simpler to generate SPDX docs for them from a python script.
====Skills Needed ====
* Ability to program in python
====Background Information ====
Forward thinking open source projects are adopting SPDXIDs in source files (initially U-Boot, but now much wider use like Zephyr, Linux Kernel, etc.)
With these easy to find "SPDX-License-Identifier:" strings, generating an SPDX document for a project is a matter of iterating over
the files in a project and extracting the information from these SPDXIDs and calculating checksums.
Creating an open source tool to do this will aid these projects in generating accurate SBOM information at release time.
This tool should be implemented as a command line, so it can be incorporated into builds, and options can be added.
Goal is that projects that use SPDX identifiers can automatically generate a SPDX document as a Software Bill of Materials
(SBOM) on demand (build, release, etc.).
====Available Mentors====
[mailto:kstewart@linuxfoundation.org Kate Stewart]
[mailto:saiudayshankar@gmail.com Uday Shankar]

GSOC/GSOC ProjectIdeas

2019-01-15T19:11:17Z

K.stewart: /* Background Information */

GSOC/GSOC ProjectIdeas

2019-01-15T19:08:33Z

K.stewart: Update description of the project.

Technical Team/SPDX RDF Vocabularies and Terms/2.1

2018-08-13T16:15:39Z

K.stewart: Created page with "The current SPDX 2.1 Vocabulary and Terms is available at http://spdx.org/rdf/terms"

The current SPDX 2.1 Vocabulary and Terms is available at http://spdx.org/rdf/terms

Technical Team/SPDX RDF Vocabularies and Terms

2018-08-13T16:15:11Z

K.stewart: /* Current */

This area houses the RDF Vocabularies and Terms for each version of the specification. If a link is not marked as Draft that means it was the final release for that version of the SPDX Specification. Do NOT edit those pages. The only pages which can be edited are marked as (DRAFT) in their link. If you see a problem with a final version please contact the Technical Team.

===Current ===
* [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms/2.1|RDF SPDX Specification 2.1]]

===Historical ===
* [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms/1.2|RDF SPDX Specification 1.2]]
* [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms/1.1|RDF SPDX Specification 1.1]]
* [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms/1.0|RDF SPDX Specification 1.0]]

[[Category:Technical]]

Technical Team/SPDX RDF Vocabularies and Terms

2018-08-13T16:14:19Z

K.stewart:

This area houses the RDF Vocabularies and Terms for each version of the specification. If a link is not marked as Draft that means it was the final release for that version of the SPDX Specification. Do NOT edit those pages. The only pages which can be edited are marked as (DRAFT) in their link. If you see a problem with a final version please contact the Technical Team.

===Current ===
* [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms/2.0|RDF SPDX Specification 2.1]]

===Historical ===
* [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms/1.2|RDF SPDX Specification 1.2]]
* [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms/1.1|RDF SPDX Specification 1.1]]
* [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms/1.0|RDF SPDX Specification 1.0]]

[[Category:Technical]]

Technical Team/SPDX RDF Vocabularies and Terms

2018-08-13T16:13:22Z

K.stewart:

General Meeting/Minutes/2018-08-02

2018-08-03T01:18:46Z

K.stewart: /* Outreach Team Report - Jack */

* Attendance: 13
* Lead by Phil Odence
* Minutes of July meeting approved

== Guest Presentation, - Supporting Continuous Integration, Ndip Tanyi==

* Idea- Automatically generating SPDX docs as part of CI process
* Scope
** Focused on Travis CI, NPM and Python
* Demo
** Add an install and SPDX build script to build script
** And some statements to push the SPDX docs to the repo
* Future extensions
** Pushing to GItHub as a commit
** Other CI systems
* Has been designed generically enough to be extensible to other languages and environments

== Tech Team Report - Kate/Gary ==

* Tools: GSoC is wrapping up in the next couple of weeks. Thank you to the students for their hard work and improvements to the project tools!

* Specification:
** Working through resolution of the external identifiers of the PURL specfication and our External Identifiers. We’re trying to get key discussion participants (Yev, Philippe, Treveor, Gary, Kate) all on the same call.
** on that note, we’re seeing a lot of interest in Security and ties into External Identifiers

* Security:
** NTIA held a software transparency workshop 2 weeks ago, and are moving forward with a workgroup to reconcile the formats that are out there. When there are more details on the workgroup, Kate will send out the invitation to participate to the SPDX general and technical lists.
** SPDX team will also be spinning up a security working group to focus on improving SPDX to support the SBOM for security issues, so watch out for more information, and if you have security contacts who are interested in participating, please subscribe to https://lists.spdx.org/g/spdx-security We'll be starting discussions there in the next month.

== Legal Team Report - Jilayne/Paul ==

* 3.2 is out
* Some clean up of old issues in process
* Request to that legal folks try out Tushar’s tool
* Exceptions
** The term is imperfect as it handles some items that are not “exceptions” per se
*** Patent grants, for example
*** Considering changing the term to be more neutral and inclusive
**** “Modifiers” maybe?
**** Will send an email to a wide audience get people thinking about it and set up a special meeting

== Outreach Team Report - Jack ==

* Website
** Making more sense of the License List and Documents section

* New time for Outreach calls is 7pm EDT
** * Shane Coughlin, from Open Chain, is getting involved to lead the Outreach to Companies (Japan based)

* OSS Summit
** Bake-off is on the Tuesday
** Morning will be on producing SPDX documents, and checking valid
** Afternoon session will be on consuming them.
** 6 tools (3 open source, 3 commercial) will be participating.

== Attendees ==

* Phil Odence, Black Duck/Synopsys
* Kate Stewart, Linux Foundation
* Ndip Tanyi, Alberta University
* Tushar Mittal, GSoC Student
* Gary O’Neall, SourceAuditor
* Yash Nisar, GSoC Student
* Jack Manbeck, TI
* Steve Winslow, LF
* Jilayne Lovejoy, ARM
* Paul Madick, Dimension Data
* Mike Dolan, Linux Foundation
* Matije Suklje, Liferay
* Mark Atwood, Amazon

[[Category:General|Minutes]]
[[Category:Minutes]]

Technical Team/Minutes/2018-07-24

2018-07-28T20:08:39Z

K.stewart: Add minutes from last meeting.

July 24, 2018
== Attendees ==
* Ndip Tanyi
* Steve Winslow
* Kate Stewart
* Philippe Ombredanne
* Michael Herzog
* Yev

==SPDX GSoC Updates==
* NDip -
working on unit tests
using colorama has conflicts
integrated with travis into plugin
started pushing up tests yesterday.
integrating plugin with an example project
NPM project being used, fixing download hard codes.
working on more projects through the rest of the week.
* Tushar – see Gitter
* Yash - see Gitter
* Gallo – see Gitter

== SPDX 2.2 - PURL inclusion ==
Philippe: PURL - effectively finalized.
Contributed in Java, python, javascript, C#, go implmentations ready
Discussion that we should wait for a version number, before including in.
Those on call basically ok with inclusion, likely redundant with adding to external ids in part, need to work through proposals.

== Improving SPDX to Support Security Ecosystem ==
Overview of NTIA workshop
Identifiers to support Security - relook at inclusion of SWIDs into 2.2
Concern raised that have to pay to see specification, need public source.

== Pending ==
* #53 & #54 - need to get resolution with both Trevor & Philippe on call.

[[Category:Technical|Minutes]]
[[Category:Minutes]]

Technical Team/Minutes/2018-07-17

2018-07-24T15:49:20Z

K.stewart: Add minutes from last meeting.

July 17, 2018
== Attendees ==
* Jim Hutchinson
* Tushar Mittal
* Ndip Tanyi
* Steve Winslow
* Kate Stewart
* Thomas Steenberg

==SPDX GSoC Updates==
* NDip – clarifying travis CI with Gary last week.
Tests for plugin itself.
Working on unit tests.
Example projects have been used with plug in.
Worry: how interact with generated during the tests, solved.
* Tushar – Sorry my internet was not stable, so posting my work updates here. Last week I completed the diff feature, which the user can use to review the changes and the validate feature which validates the XML text against the license schema. Currently there is a small bugs in the diff feature and also I need to implement pulling of the schema from the repo when user uses the validate feature. For the pull request feature I asked one of the github members, so he said that one bot account is allowed for the users and organizations. So I'll be exploring the Github apps and figuring out which method works better. Will be post my views on that.
* Yash - see Gitter
* Gallo – see Gitter

== SPDX 2.1.1 Version of Specification==
* Thomas working through options PDF generation, issue with hard line breaks.

== SPDX 2.2 - Representing JSON / YAML / XML ==
* Preference from the participants was to move away from documenting each format for each field, and only document when special case information is needed. Now that we have the specification on github, and rendered on https://spdx.github.io/spdx-spec/ we have more options.
* Instead provide full examples for each section of the 5 formats for per chapter longer examples. Highlight “gotchas”, but in interface of web page, show real examples. showing full thing. YAML, JSON, XML, RDF, TAG:VALUE, desire to see all formats side by side.
* In terms of examples to use, we want something smaller, so selection is important. consider Timezone.js from NPM, file is 200 lines, 150 lines from relationships, 3 dependencies. Other suggestions welcome.
* Jim suggests we also look into compatibility tests in this area as we go forward. In particular he's interested in seeing some of the lessons from FUZZ testing applied here. He will come back with further proposals in future.

[[Category:Technical|Minutes]]
[[Category:Minutes]]

Technical Team/SPDX Upcoming Meetings

2018-07-24T15:11:33Z

K.stewart: /* Upcoming Meeting Agenda */

=== Upcoming Meeting Agenda ===

*2016-07-24
:*GSOC update
:*SWID's revisited

* TBD
:* need: Gary, Philippe & Trevor

=== Topics to add to Tech Meeting Agenda ===

* please add...

GSOC/GSOC ProjectIdeas

2018-03-22T19:01:04Z

K.stewart: /* Available Mentors */

'''Welcome to the 2018 SPDX Google Summer of Code Project Page'''

See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.

Should you have questions please do not hesitate to contact one of the mentors directly.

 

__TOC__

 

== What is SPDX ? ==

First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.

As part of this effort we have developed a set of collateral that can be used:

* [https://spdx.org/using-spdx License List and Short Identifiers]
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Doucments in either RDF or Tag/Value format]
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]
* [https://spdx.org/using-spdx License Identifiers in source]

== Why choose an SPDX Project? ==

Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.

 

= Getting Involved =

Beyond working wth your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list (see resources). There is however a weekly call you could join as well. All of the daily work for the Tech team is done on this wiki.

== Resources ==

* [http://spdx.org SPDX website]
* [https://spdx.org/specifications SPDX Specification]
* [https://spdx.org/tools SPDX Workgroup Tools webpage]
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]

=SPDX Workgroup Tooling Projects=
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX and increase the accuracy of the SPDX documents.

==Add New License Submital Feature to Online Tools==
The SPDX license list (see https://spdx.org/licenses/) is maintained by the SPDX legal team. The source for the license license list is maintained in the SPDX license-list-XML github repository (https://github.com/spdx/license-list-XML). Currently, new licenses are submitted through emails to the SPDX legal team and the license XML files are manually generated.

An online program could be created which would take all the relevant data (e.g. license name, URL to original link, license text), notify the legal team of the submission and create a pull request with the proper license XML format. Additional, optional useful features could include comparing the license text to existing licenses to avoid duplication, allow demarking optional text and tracking the approval status.

This project could be implemented in Python in the existing online tools.
====Skills Needed====
* Development skills in the Python language
* Knowledge of Git
* Understanding of XML
====Available Mentors====
[mailto:gary@sourceauditor.com Gary O'Neall] [mailto:rohit.lodhartg@gmail.com Rohit Lodha]

==Update Parser Libraries to SPDX 2.1 for GO==
Update one of the SPDX GO libraries to the SPDX 2.1 specification. The SPDX 2.1 specification is a major upgrade from SPDX 1.2 supporting relationships between SPDX documents and SPDX elements.
====Skills Needed====
* Development skills in the GO language
* Experience with parser development
* Understanding of RDF and XML
====Background Information====
SPDX currently provides libraries supporting the reading and writing of SPDX document. Currently, only Java libraries support the new SPDX 2.1 specification. The Python libraries and the GO libraries support version 1.2 of the spec. The libraries must support both RDF/XML import/export as well as tag/value import/export. The [[https://github.com/spdx/tools-go SPDX git repository]] SPDX Tools project contains the source code for the libraries.

====Available Mentors====
[mailto:gary@sourceauditor.com Gary O'Neall]

==Update Python SPDX library to SPDX 2.1==
Update one of the SPDX Python libraries to the SPDX 2.1 specification. The SPDX 2.1 specification is a major upgrade from SPDX 1.2 supporting relationships between SPDX documents and SPDX elements.
====Skills Needed====
* Development skills in the Python language

====Background Information====
SPDX currently provides libraries supporting the reading and writing of SPDX document. Currently, only Java libraries support the new SPDX 2.1 specification. The Python library support version 1.2 of the spec. The library must support primarily the tag/value import/export and also the RDF/XML import/export. The [[https://github.com/spdx/tools-python SPDX git repository]] SPDX Tools project contains the source code for this library.

====Available Mentors====
[mailto:pombredanne@nexb.com Philippe Ombredanne] [mailto:rohit.lodhartg@gmail.com Rohit Lodha]

==Add support for SPDX license expression to Python library==
Update the [[https://github.com/spdx/tools-python]|SPDX Python library]] to fully support license expression.
====Skills Needed====
* Development skills in the Python language

====Background Information====
See https://github.com/spdx/tools-python/issues/10 and https://github.com/nexB/license-expression/
====Available Mentors====
[mailto:pombredanne@nexb.com Philippe Ombredanne] [mailto:rohit.lodhartg@gmail.com Rohit Lodha]

== Port SPDX license expression library to Ruby, JavaScript and Java==
The [[https://github.com/nexB/license-expression/]|licens_expressionlibrary]] provides comprehensive support license expression using a boolean engine for Python.
The goal of this project is to port and/or package this library for JavaScript, Ruby and Java, considering either code conversion tools, alternative Python implementations (e.g. Jython) or calling Python from another language to bring the same features to these other languages.
====Skills Needed====
* Development skills in Python, Java, Ruby, JavaScript.

====Background Information====
See https://github.com/spdx/tools-python/issues/10 and https://github.com/nexB/license-expression/
====Available Mentors====
[mailto:pombredanne@nexb.com Philippe Ombredanne]

==Build Tool SPDX File Generators==
Support a continuous integration (CI) generation of SPDX files by creating a plugins or extensions to build tools. These plugins or extensions will generate valid SPDX documents based on the build file metadata and source files.

====Skills Needed====
* Experience developing parser/scanners
* Experience with the specific build tools
====Background Information====
Many build environments include license information in their metadata but do not produce sufficient information for good license compliance. By adding SPDX generation to these build environments, high quality licensing information can be captured in a way which is easily used by downstream users of the code. Following is a partial list of popular build environments/package managers which do not have an SPDX generation capability:
* MSBuild
* PIP
* NPM (Note: NPM does include SPDX compliance license information and tools)
* DEB
The Yocto build environment currently has some SPDX file generation capabilities, but there is a need for some additional work to integrate some of the existing tools into a more complete integrated toolset. The [https://github.com/goneall/spdx-maven-plugin SPDX Maven Plugin] is an example of an existing build tool SPDX generator.
====Available Mentors====
[mailto:gary@sourceauditor.com Gary O'Neall]
[mailto:pombredanne@nexb.com Philippe Ombredanne]

=SPDX Specification Projects=
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.

== SPDX Specification in MarkDown ==
Migrate the specification from Google docs to GitHub+MarkDown based toolchain capable of generating HTML, PDF and EPUB
====Skills Needed====
* Understanding of documentation tooling
* Web-development skills to style HTML version
====Background Information====
The [https://spdx.org/specifications 2.1 SPDX specification] PDF and HTML version have several issues.
1. Navigation through both document is difficult as a index is missing
2. Switching to GitHub+MarkDown will remove friction for contributors to comment/amend the specification. Common workflow within the OSS community
====Available Mentors====
[mailto:kstewart@linuxfoundation.org Kate Stewart]
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]

== SPDX Specification Wiki Examples of Package Managers ==
SPDX specification describes on a high level how to describe package, files and snippets but lack examples how to capture the use of package managers
====Skills Needed====
* Understanding of package managers
====Background Information====
To encourage adoption of SPDX it should be clear how to encode the use of common programming language package managers within SPDX. The aim of this project is to create example per build tool/package manager so that not only as example to the community but also form the input for SPDX tech team discussions and future tooling development

Initial package managers:
* Bower
* CocoaPods
* Gradle
* gem
* gitmodules
* Maven
* npm
* PyPi
* sbt
* NuGet

====Available Mentors====
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]
[mailto:stewart@linux.com Kate Stewart]

== SPDX Specification Views for legal counsels and developers ==
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.
====Skills Needed====
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX
====Background Information====
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions
====Available Mentors====
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]
[mailto:ybronshteyn@blackducksoftware.com Yev Bronshteyn]

Legal Team/Minutes/2018-03-22

2018-03-22T18:06:35Z

K.stewart: Fix typo in OpenIB (was OpenIG)

== Attendees ==

* Kate Stewart
* Paul Madick
* Dennis Clark
* Steve Winslow
* Jilayne Lovejoy

== Agenda ==
1) Discussed proposal for Google Summer of Code: https://wiki.spdx.org/view/GSOC/GSOC_ProjectIdeas#Add_New_License_Submital_Feature_to_Online_Tools and response to feedback Gary gave to a student interested in doing this project as per email sent (also can be seen here: https://lists.spdx.org/pipermail/spdx-legal/2018-March/002497.html

2) Looked at PRs and Issues (new license/exception requests) for pending 3.1 release
* merged PR # 614 and added new license: Linux-OpenIB PR # 620
* discussed new license request Issue #619 - to be added, but needed to check it’s not already on the list - confirmed it is not after call

* Next meeting: need to better nail down process for reviewing new license/exception requests. A few have been raised via Issues and gone unnoticed. Recommendation is to spend ~half of each legal call going through any new requests, so we are on a regular tick.

GSOC/GSOC ProjectIdeas

2018-01-30T20:46:15Z

K.stewart: /* SPDX Workgroup Tooling Projects */

'''Welcome to the 2018 SPDX Google Summer of Code Project Page'''

Should you have questions please do not hesitate to contact one of the mentors directly.

 

__TOC__

 

== What is SPDX ? ==

First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.

As part of this effort we have developed a set of collateral that can be used:

* [https://spdx.org/using-spdx License List and Short Identifiers]
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Doucments in either RDF or Tag/Value format]
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]
* [https://spdx.org/using-spdx License Identifiers in source]

== Why choose an SPDX Project? ==

Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.

 

= Getting Involved =

Beyond working wth your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list (see resources). There is however a weekly call you could join as well. All of the daily work for the Tech team is done on this wiki.

== Resources ==

* [http://spdx.org SPDX website]
* [https://spdx.org/specifications SPDX Specification]
* [https://spdx.org/tools SPDX Workgroup Tools webpage]
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]

=SPDX Workgroup Tooling Projects=
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX and increase the accuracy of the SPDX documents.

==Update Parser Libraries to SPDX 2.1 for GO==
Update one of the SPDX GO libraries to the SPDX 2.1 specification. The SPDX 2.1 specification is a major upgrade from SPDX 1.2 supporting relationships between SPDX documents and SPDX elements.
====Skills Needed====
* Development skills in the GO language
* Experience with parser development
* Understanding of RDF and XML
====Background Information====
SPDX currently provides libraries supporting the reading and writing of SPDX document. Currently, only Java libraries support the new SPDX 2.1 specification. The Python libraries and the GO libraries support version 1.2 of the spec. The libraries must support both RDF/XML import/export as well as tag/value import/export. The [[git.spdx.org|SPDX git repository]] SPDX Tools project contains the source code for the libraries.
====Available Mentors====
[mailto:gary@sourceauditor.com Gary O'Neall]

==Update Python SPDX library to SPDX 2.1==
Update one of the SPDX Python libraries to the SPDX 2.1 specification. The SPDX 2.1 specification is a major upgrade from SPDX 1.2 supporting relationships between SPDX documents and SPDX elements.
====Skills Needed====
* Development skills in the Python language

====Background Information====
SPDX currently provides libraries supporting the reading and writing of SPDX document. Currently, only Java libraries support the new SPDX 2.1 specification. The Python library support version 1.2 of the spec. The library must support primarily the tag/value import/export and also the RDF/XML import/export. The [[https://github.com/spdx/tools-python|SPDX git repository]] SPDX Tools project contains the source code for this library.
====Available Mentors====
[mailto:pombredanne@nexb.com Philippe Ombredanne]

==Add support for SPDX license expression to Python library==
Update the [[https://github.com/spdx/tools-python]|SPDX Python library]] to fully support license expression.
====Skills Needed====
* Development skills in the Python language

====Background Information====
See https://github.com/spdx/tools-python/issues/10 and https://github.com/nexB/license-expression/
====Available Mentors====
[mailto:pombredanne@nexb.com Philippe Ombredanne]

== Port SPDX license expression library to Ruby, JavaScript and Java==
The [[https://github.com/nexB/license-expression/]|licens_expressionlibrary]] provides comprehensive support license expression using a boolean engine for Python.
The goal of this project is to port and/or package this library for JavaScript, Ruby and Java, considering either code conversion tools, alternative Python implementations (e.g. Jython) or calling Python from another language to bring the same features to these other languages.
====Skills Needed====
* Development skills in Python, Java, Ruby, JavaScript.

====Background Information====
See https://github.com/spdx/tools-python/issues/10 and https://github.com/nexB/license-expression/
====Available Mentors====
[mailto:pombredanne@nexb.com Philippe Ombredanne]

==Build Tool SPDX File Generators==
Support a continuous integration (CI) generation of SPDX files by creating a plugins or extensions to build tools. These plugins or extensions will generate valid SPDX documents based on the build file metadata and source files.

====Skills Needed====
* Experience developing parser/scanners
* Experience with the specific build tools
====Background Information====
Many build environments include license information in their metadata but do not produce sufficient information for good license compliance. By adding SPDX generation to these build environments, high quality licensing information can be captured in a way which is easily used by downstream users of the code. Following is a partial list of popular build environments/package managers which do not have an SPDX generation capability:
* MSBuild
* PIP
* NPM (Note: NPM does include SPDX compliance license information and tools)
* DEB
The Yocto build environment currently has some SPDX file generation capabilities, but there is a need for some additional work to integrate some of the existing tools into a more complete integrated toolset. The [https://github.com/goneall/spdx-maven-plugin SPDX Maven Plugin] is an example of an existing build tool SPDX generator.
====Available Mentors====
[mailto:gary@sourceauditor.com Gary O'Neall]
[mailto:pombredanne@nexb.com Philippe Ombredanne]

=SPDX Specification Projects=
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.

== SPDX Specification in MarkDown ==
Migrate the specification from Google docs to GitHub+MarkDown based toolchain capable of generating HTML, PDF and EPUB
====Skills Needed====
* Understanding of documentation tooling
* Web-development skills to style HTML version
====Background Information====
The [https://spdx.org/specifications 2.1 SPDX specification] PDF and HTML version have several issues.
1. Navigation through both document is difficult as a index is missing
2. Switching to GitHub+MarkDown will remove friction for contributors to comment/amend the specification. Common workflow within the OSS community
====Available Mentors====
[mailto:kstewart@linuxfoundation.org Kate Stewart]
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]

== SPDX Specification Wiki Examples of Package Managers ==
SPDX specification describes on a high level how to describe package, files and snippets but lack examples how to capture the use of package managers
====Skills Needed====
* Understanding of package managers
====Background Information====
To encourage adoption of SPDX it should be clear how to encode the use of common programming language package managers within SPDX. The aim of this project is to create example per build tool/package manager so that not only as example to the community but also form the input for SPDX tech team discussions and future tooling development

Initial package managers:
* Bower
* CocoaPods
* Gradle
* gem
* gitmodules
* Maven
* npm
* PyPi
* sbt
* NuGet

====Available Mentors====
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]

== SPDX Specification Views for legal counsels and developers ==
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.
====Skills Needed====
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX
====Background Information====
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions
====Available Mentors====
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]
[mailto:ybronshteyn@blackducksoftware.com Yev Bronshteyn]

GSOC/GSOC ProjectIdeas

2018-01-30T18:06:20Z

K.stewart: /* 2018 Projects */

'''Welcome to the 2018 SPDX Google Summer of Code Project Page'''

Should you have questions please do not hesitate to contact one of the mentors directly.

 

__TOC__

 

== What is SPDX ? ==

First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.

As part of this effort we have developed a set of collateral that can be used:

* [https://spdx.org/using-spdx License List and Short Identifiers]
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Doucments in either RDF or Tag/Value format]
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]
* [https://spdx.org/using-spdx License Identifiers in source]

== Why choose an SPDX Project? ==

Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.

 

= Getting Involved =

Beyond working wth your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list (see resources). There is however a weekly call you could join as well. All of the daily work for the Tech team is done on this wiki.

== Resources ==

* [http://spdx.org SPDX website]
* [https://spdx.org/specifications SPDX Specification]
* [https://spdx.org/tools SPDX Workgroup Tools webpage]
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]

= 2018 Projects =

These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX and increase the accuracy of the SPDX documents.

==Update Parser Libraries to SPDX 2.0==
Update one of the SPDX language libraries to the SPDX 2.0 specification. The SPDX 2.0 specification is a major upgrade from SPDX 1.2 supporting relationships between SPDX documents and SPDX elements.

===Skills Needed===
* Development skills in the language of choice (e.g. Java or Python or Go)
* Experience with parser development
* Understanding of RDF and XML

===Background Information===
SPDX currently provides libraries supporting the reading and writing of SPDX document. Currently, only Java libraries support the new SPDX 2.0 specification. The Python and GO libraries support version 1.2 of the spec. The libraries must support both RDF/XML import/export as well as tag/value import/export. The [[https://github.com/spdx/|SPDX git repository]] SPDX Tools project contains the source code for the libraries.

===Available Mentors===
[mailto:gary@sourceauditor.com Gary O'Neall] Java
[mailto:pombredanne@gmail.com Philippe Ombredanne] Python and Go

==Online Validation Tools==
Create a web accessible tool for validating SPDX documents. Validation goals will need to be further defined but should include syntax checks for field names and inclusion of all required fields. Note that SPDX documents can be in one of two formats: RDF and Tag/Value.

===Skills Needed===
* Software development skills for Web based applications
* Good user interface design skills
* This could be written in any of Python, JavaScript or Java

===Background Information===
An online form which allows the uploading, parsing, and validation of SPDX would provide immediate benefit to the SPDX community. There is no specific programming language requirement, but there is an existing Java library which could be used in the project. Some of the technical challenges for this project include having to handle long running operations and implementing a very robust parser implementation able to handle any input. Additional online tools could also be added, such as document format conversion and reporting/pretty printing.

As a bonus or separate project, this could include providing a UI and an API for SPDX expression validation.

===Available Mentors===
* [mailto:gary@sourceauditor.com Gary O'Neall]
* [mailto:germonprez@gmail.com Matt Germonprez]]
* [mailto:pombredanne@nexb.com Philippe Ombredanne]

==GIT Plugin to generate SPDX==
Create a GIT Plugin that can generate an SPDX Document with just the required fields from a GIT.

===Skills Needed===
* Experience with HTTP and JSON
* Understanding of GIT
* Python or Java or C

===Background Information===
This project is to look at either a GIT hook or interfacing to GitHub to generate SPDX documents. This can be two separate projects.

===Available Mentors===
* [mailto:gary@sourceauditor.com Gary O'Neall]
* [mailto:pombredanne@nexb.com Philippe Ombredanne]

==Source Code Parser==
Create a tool which will parse source code and create an SPDX document based on SPDX standard license identifiers found in the source code, licenses found and copyrights found. The tool will also produce a score indicating how well documented the licenses are.

===Skills Needed===
* Experience developing parser/scanners
* Understanding of various programming languages
* Python or Java development experience a plus

===Background Information===
There is a proposal to add [[Technical_Team/SPDX_Meta_Tags|Meta Tags]] in source code comments. Once these license ID's have been produced, this tool could scan the source code for the meta tags and create the appropriate SPDX document. There is no language requirement, however there are existing Java libraries which could help build the SPDX document.

===Available Mentors===
* [mailto:gary@sourceauditor.com Gary O'Neall]
* [mailto:j-manbeck2@ti.com Jack Manbeck]

==License Coverage Grader ==
Create a tool which will take an SPDX document and pointer to the original source files, and determine a "grade" to quantify how complete the licensing information is at the file level for the code represented by the SPDX document.

===Skills Needed===
* Experience with Python
* Understanding of various programming languages and mime types
* Familiarity with SPDX specification is a plus

===Background Information===
There have been several talks about the need for a package level License Coverage Grade. This project will come up with an initial set of heuristics based on MIME types for what file types should have automatically detectable license identifiers. Then create a command line tool that will accept and parse an SPDX document and a pointer to sources that created it, and come up with license coverage "grade" for the package.

===Available Mentors===
* [mailto:kstewart@linuxfoundation.org Kate Stewart]
* [mailto:pombredanne@nexb.com Philippe Ombredanne]

GSOC/GSOC ProjectIdeas

2018-01-30T18:05:33Z

K.stewart:

'''Welcome to the 2018 SPDX Google Summer of Code Project Page'''

Should you have questions please do not hesitate to contact one of the mentors directly.

 

__TOC__

 

== What is SPDX ? ==

First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.

As part of this effort we have developed a set of collateral that can be used:

* [https://spdx.org/using-spdx License List and Short Identifiers]
* [https://spdx.org/using-spdx SPDX Specification for generating SPDX Doucments in either RDF or Tag/Value format]
* [https://spdx.org/tools A set of basic tools for working with SPDX Documents]
* [https://spdx.org/using-spdx License Identifiers in source]

== Why choose an SPDX Project? ==

Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.

 

= Getting Involved =

Beyond working wth your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list (see resources). There is however a weekly call you could join as well. All of the daily work for the Tech team is done on this wiki.

== Resources ==

* [http://spdx.org SPDX website]
* [https://spdx.org/specifications SPDX Specification]
* [https://spdx.org/tools SPDX Workgroup Tools webpage]
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]

= 2017 Projects =

These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX and increase the accuracy of the SPDX documents.

==Update Parser Libraries to SPDX 2.0==
Update one of the SPDX language libraries to the SPDX 2.0 specification. The SPDX 2.0 specification is a major upgrade from SPDX 1.2 supporting relationships between SPDX documents and SPDX elements.

===Skills Needed===
* Development skills in the language of choice (e.g. Java or Python or Go)
* Experience with parser development
* Understanding of RDF and XML

===Background Information===
SPDX currently provides libraries supporting the reading and writing of SPDX document. Currently, only Java libraries support the new SPDX 2.0 specification. The Python and GO libraries support version 1.2 of the spec. The libraries must support both RDF/XML import/export as well as tag/value import/export. The [[https://github.com/spdx/|SPDX git repository]] SPDX Tools project contains the source code for the libraries.

===Available Mentors===
[mailto:gary@sourceauditor.com Gary O'Neall] Java
[mailto:pombredanne@gmail.com Philippe Ombredanne] Python and Go

==Online Validation Tools==
Create a web accessible tool for validating SPDX documents. Validation goals will need to be further defined but should include syntax checks for field names and inclusion of all required fields. Note that SPDX documents can be in one of two formats: RDF and Tag/Value.

===Skills Needed===
* Software development skills for Web based applications
* Good user interface design skills
* This could be written in any of Python, JavaScript or Java

===Background Information===
An online form which allows the uploading, parsing, and validation of SPDX would provide immediate benefit to the SPDX community. There is no specific programming language requirement, but there is an existing Java library which could be used in the project. Some of the technical challenges for this project include having to handle long running operations and implementing a very robust parser implementation able to handle any input. Additional online tools could also be added, such as document format conversion and reporting/pretty printing.

As a bonus or separate project, this could include providing a UI and an API for SPDX expression validation.

===Available Mentors===
* [mailto:gary@sourceauditor.com Gary O'Neall]
* [mailto:germonprez@gmail.com Matt Germonprez]]
* [mailto:pombredanne@nexb.com Philippe Ombredanne]

==GIT Plugin to generate SPDX==
Create a GIT Plugin that can generate an SPDX Document with just the required fields from a GIT.

===Skills Needed===
* Experience with HTTP and JSON
* Understanding of GIT
* Python or Java or C

===Background Information===
This project is to look at either a GIT hook or interfacing to GitHub to generate SPDX documents. This can be two separate projects.

===Available Mentors===
* [mailto:gary@sourceauditor.com Gary O'Neall]
* [mailto:pombredanne@nexb.com Philippe Ombredanne]

==Source Code Parser==
Create a tool which will parse source code and create an SPDX document based on SPDX standard license identifiers found in the source code, licenses found and copyrights found. The tool will also produce a score indicating how well documented the licenses are.

===Skills Needed===
* Experience developing parser/scanners
* Understanding of various programming languages
* Python or Java development experience a plus

===Background Information===
There is a proposal to add [[Technical_Team/SPDX_Meta_Tags|Meta Tags]] in source code comments. Once these license ID's have been produced, this tool could scan the source code for the meta tags and create the appropriate SPDX document. There is no language requirement, however there are existing Java libraries which could help build the SPDX document.

===Available Mentors===
* [mailto:gary@sourceauditor.com Gary O'Neall]
* [mailto:j-manbeck2@ti.com Jack Manbeck]

==License Coverage Grader ==
Create a tool which will take an SPDX document and pointer to the original source files, and determine a "grade" to quantify how complete the licensing information is at the file level for the code represented by the SPDX document.

===Skills Needed===
* Experience with Python
* Understanding of various programming languages and mime types
* Familiarity with SPDX specification is a plus

===Background Information===
There have been several talks about the need for a package level License Coverage Grade. This project will come up with an initial set of heuristics based on MIME types for what file types should have automatically detectable license identifiers. Then create a command line tool that will accept and parse an SPDX document and a pointer to sources that created it, and come up with license coverage "grade" for the package.

===Available Mentors===
* [mailto:kstewart@linuxfoundation.org Kate Stewart]
* [mailto:pombredanne@nexb.com Philippe Ombredanne]

Technical Team/Minutes/2018-01-23

2018-01-23T22:19:32Z

K.stewart: fix date at start

Jan. 23, 2018
== Attendees ==
* Thomas Steenbergen
* Alexios Zavras
* Trevor King
* Bradlee Edmondson
* Steve Winslow
* Kate Stewart
* Yev Bronshteyn

==SPDX 2.1.1 ==
* Context: This should be the same as 2.1 other than typos, bugs and formatting fixes.

=== Pull request #17 ===
* use of … vs elipse symbol. Decision to go "..." as will be easier to maintain
* 3.9.4 Verification code changes need to be reverted, add to 2.2 to discuss.
* Roll back camel case changes (should stay as is in RDF)
* Investigate - Chapter 13 references.
* 3.10.7 - RDF examples, revert.
* 3.14.4 - missing backtick.
* 3.15.4 - double check this one.
* don’t change <> to {} in 2.1.1 — discuss this for 2.2.
* 3.17.1 make it match the .pdf version. as close as possible.
* 3.21 using backticks preference. Going from 3.21.1 to 3.21.6 (format bug)
===Pull request #23===
* move to 2.2 - get Yev’s input on it.
===Pull request #40===
move to 2.2
===Pull request #68===
*Agree to be added as 2.1.1
===Pull request #7===
*Will be done.
===Pull request #1===
*Will happen automatically as soon as document generated
===Pull request #18===
* Using bold instead of linking to subsections, better maintainability.
* Trevor concerned about link maintenance with Markdown? Thomas waiting for a link checker to be open sourced. Will be a plugin.
===Pull request #57===
* need to get input from Gary & Yev as to what resolution should be.
===Pull request #63===
* move to 2.2 (was 2.1.1)

===TODO===
* add bug to add Thomas and Trevor’s name to contributors at start of 2.1.1 version.
* Feb 13th. Signing off on 2.1.1 - work on via email to then.
* Open question - does it make sense to put out an SPDX document for the specification and its build tools? Probably punt to 2.2

[[Category:Technical|Minutes]]
[[Category:Minutes]]

Technical Team/Minutes/2018-01-15

2018-01-23T19:17:28Z

K.stewart:

Redirect to https://wiki.spdx.org/view/Technical_Team/Minutes/2018-01-16

Technical Team/Minutes/2018-01-16

2018-01-23T19:16:57Z

K.stewart: Add notes from 2018-01-16 meeting (was erroneously put in as 2018-01-15).

Jan. 16, 2018
== Attendees ==
* Gary O’Neall
* Kate Stewart
* Jack Manbeck
* Thomas Steenberg
* Philippe Ombredanne

==GSoC proposal==
* Gary, Kate, Phlippe have volunteered to be admins.
* 5 project proposals have been created, see: https://docs.google.com/document/d/1Hyt-ZnpewNBS9Y6tHzaOkzPoNbxQ0Cd0GukyzqsSsM0/edit
* Jack has volunteered to clean up the GSoC page for 2018
* Request was made to link GSoC 2017 pages to results demonstrated.

[[Category:Technical|Minutes]]
[[Category:Minutes]]

Technical Team/Minutes/2018-01-23

2018-01-23T19:13:49Z

K.stewart: Add notes from 2018-01-23 meeting

an. 2, 2018
== Attendees ==
* Thomas Steenbergen
* Alexios Zavras
* Trevor King
* Bradlee Edmondson
* Steve Winslow
* Kate Stewart
* Yev Bronshteyn

==SPDX 2.1.1 ==
* Context: This should be the same as 2.1 other than typos, bugs and formatting fixes.

=== Pull request #17 ===
* use of … vs elipse symbol. Decision to go "..." as will be easier to maintain
* 3.9.4 Verification code changes need to be reverted, add to 2.2 to discuss.
* Roll back camel case changes (should stay as is in RDF)
* Investigate - Chapter 13 references.
* 3.10.7 - RDF examples, revert.
* 3.14.4 - missing backtick.
* 3.15.4 - double check this one.
* don’t change <> to {} in 2.1.1 — discuss this for 2.2.
* 3.17.1 make it match the .pdf version. as close as possible.
* 3.21 using backticks preference. Going from 3.21.1 to 3.21.6 (format bug)
===Pull request #23===
* move to 2.2 - get Yev’s input on it.
===Pull request #40===
move to 2.2
===Pull request #68===
*Agree to be added as 2.1.1
===Pull request #7===
*Will be done.
===Pull request #1===
*Will happen automatically as soon as document generated
===Pull request #18===
* Using bold instead of linking to subsections, better maintainability.
* Trevor concerned about link maintenance with Markdown? Thomas waiting for a link checker to be open sourced. Will be a plugin.
===Pull request #57===
* need to get input from Gary & Yev as to what resolution should be.
===Pull request #63===
* move to 2.2 (was 2.1.1)

===TODO===
* add bug to add Thomas and Trevor’s name to contributors at start of 2.1.1 version.
* Feb 13th. Signing off on 2.1.1 - work on via email to then.
* Open question - does it make sense to put out an SPDX document for the specification and its build tools? Probably punt to 2.2

[[Category:Technical|Minutes]]
[[Category:Minutes]]

Technical Team/Minutes/2018-01-15

2018-01-16T19:09:29Z

K.stewart: Add notes from 2018-01-15 meeting.

Jan. 15, 2018
== Attendees ==
* Gary O’Neall
* Kate Stewart
* Jack Manbeck
* Thomas Steenberg
* Philippe Ombredanne

==GSoC proposal==
* Gary, Kate, Phlippe have volunteered to be admins.
* 5 project proposals have been created, see: https://docs.google.com/document/d/1Hyt-ZnpewNBS9Y6tHzaOkzPoNbxQ0Cd0GukyzqsSsM0/edit
* Jack has volunteered to clean up the GSoC page for 2018
* Request was made to link GSoC 2017 pages to results demonstrated.

[[Category:Technical|Minutes]]
[[Category:Minutes]]

General Meeting/Minutes/2017-12-07

2017-12-07T17:55:21Z

K.stewart: /* Guest Speaker - Pedro Giffuni - FreeBSD */

* Attendance: 15
* Lead by Gary O'Neall
* Minutes of Nov meeting approved
== Guest Speaker - Pedro Giffuni - FreeBSD ==
* Overview and history of FreeBSD
* Licensing - several variations of licenses, difficult to keep track
** Mostly free of copyleft (exceptions tools like gcc)
** Mix of BSD styles, MIT, ISC
* SPDX helps solve some of the issues with non-uniform licenses
* SPDX helps describe licenses when sharing code with other projects
** Used WindRiver service to do initial identifications
** Identified licenses needed manual review - not all of the license matches were precise
** Breakdown of the licenses found was provided
* Pedro has been adding the SPDX tags
* Currently, only tagged C files ahd headers
* Build files and documentation still need to be tagged
* Just adding tag, not removing the licenses
** Discussion on the advantages / disadvantages of keeping the license
** Most important aspect is to add the SPDX ID for easy identification
* Question on tagging some of the non-core files
** Other projects are outside the tree and not currently tagged - they are maintained by other groups

== Tech Team Report - Kate and Gary ==
* SPDX proposals for 2.2 and 3.0 versions of the spec are now in github
* Some discussion on extending the license expression to include an ambiguous operator
* Some discussion on various tooling effort including the tools presented by Thomas in Prague
* Most tooling efforts have been focused on supporting the legal team move to the license XML format
* Kate and Philippe provided an update on the use of license ID's in the Linux Kernel
** All files now have detectable licenses!
** LWN has an article describing the effort: https://lwn.net/Articles/739183/
* Philippe presented at the Paris Open Source summit
== Outreach Team Report - Jack ==
* Moving to new wordpress website
* Encouraged everyone to take a look at the site (note: you will need access to sign in)
* Target to move in December, but it may end up being January
== Legal Team Report - Jilayne ==
* Closed the GPL identifier issue requested by the FSF
** The updated solution was accepted by FSF and Richard Stallman
* We are now in "feature freeze" for the next release
** We should hold off on opening up or discussing larger issues not related to the next release
** Effort should be focused on resolving remaining issues in the github repository
== Attendees ==
* Kate Stewart, Linux Foundation
* Philippe Ombredanne, NexB
* Bradlee Edmondson, Harvard
* Pedro Giffuni, FreeBSD
* Rob Musial
* Jeff Luszcz, Flexera
* Dennis Clark, NexB
* Gary O'Neall, Source Auditor
* Alexios Zavras
* Jilayne Lovejoy, ARM
* Scott Lammons, FreeBSD
* Mathew Crawford, ARM

[[Category:General|Minutes]]
[[Category:Minutes]]

Legal Team

2017-11-12T13:38:59Z

K.stewart: Update the call in information to reflect new phone number.

This is the working area for the Legal Team. The SPDX Legal Team supports and provides recommendations to the SPDX working groups regarding licensing issues for the specification itself; maintains the [http://spdx.org/licenses/ SPDX License List]; and promotes the SPDX specification to the legal community at-large.

Work for the SPDX Legal Team is done both via the mailing list and bi-weekly calls. In particular, the bi-weekly calls are used to discuss topics and issues that may be difficult to only discuss via email.

'''You can join the mailing list and otherwise manage your subscription here''': https://lists.spdx.org/mailman/listinfo/spdx-legal

An invite for the bi-weekly calls is sent to the mailing list at the beginning of each year. If you join the mailing list later, you may not have gotten the invite. The details of the calls are below for anyone to join and meeting reminders are usually sent prior to the call on the mailing list.

The Legal Team meets '''every other Thursday at 18:00 GMT (10:00AM PT, 11:00 MT, 12:00 CT, 1:00PM ET)'''.

Web conference: http://uberconference.com/SPDXTeam
Optional dial in number: 415-881-1586
No PIN needed

* [[Legal_Team/Minutes|Meeting Minutes of the Legal Team]]
* [[Legal_Team/License_List/Licenses_Under_Consideration|Licenses & Exceptions Under Consideration]]
* [[Legal_Team/Fedora-comparison|Fedora/SPDX license list inclusion and comparison]]

* [[Legal_Team/Decisions|Decisions of the Legal Team]] - summaries of past significant decisions of the SPDX Legal Team

'''Working pages for project in progress:'''
* [[Legal_Team/Templatizing|Working page for XML Templatizing project to improve machine detection & recognition]]
* [[Legal_Team/non-English-licenses|Working page for policy on how to handle non-English licenses and matching]]
* [[Legal_Team/only-operator-proposal|Working page for policy on proposal to add only operator and otherwise better deal with license that have "or later" clauses overall]]



[[Category:Legal]]

Outreach Team

2017-11-12T13:37:23Z

K.stewart: Update the call in information to reflect new phone number.

This is the working area for the Outreach (formally Business) Team. This team has primary responsibility for go-to-market activities of SPDX, including: launch activities for new versions of the SPDX specification; outreach; participation in events; and the SPDX website.

The Outreach Team meets every other Thursday at 18:00 GMT (10:00AM PT, 11:00 MT, 12:00 CT, 1:00PM ET) starting on 14 January 2016.

Call this number: (United States): +1-415-881-1586
No PIN needed
International: visit the URL at http://uberconference.com/SPDXTeam

* [[Business_Team/Priorities|Current Priorities and Work in Progress for the Outreach Team]]
* [[Business_Team/Minutes|Meeting Minutes for the Outreach Team]]
* [[Business_Team/Old|Older Items for the Outreach Team]]
* [[SPDX_FAQ|SPDX FAQs]]

[[Category:Business]]

General Meeting

2017-11-12T13:35:55Z

K.stewart: Update the call in information to reflect new phone number.

This is the working area for the General Team. This team has primary responsibility for summarizing the activities of the three working teams and discussing cross-functional issues. The minutes of this monthly meeting provide a good summary of what's going on across the SPDX group, so signing up for the General Meeting mailing list is a good way to stay in touch.

The General Team meets on the first Thursday of every month at 16:00 GMT (8:00AM PT, 9:00AM MT, 10:00AM CT, 11:00ET).
Join the call: https://www.uberconference.com/SPDXTeam
Optional dial in number: +1-415-881-1586
No PIN needed

* [[General_Meeting/Priorities|Current Priorities]]
* [[General_Meeting/Minutes|Meeting Minutes]]
* [[General_Meeting/Presentation_Materials|Presentation Materials]]
* [[General_Meeting/Old|Older Items]]

[[Category:General]]

Technical Team

2017-11-12T13:35:00Z

K.stewart: Update the call in information to reflect new phone number.

This is the working area for the technical team. This team has primary responsibility for drafting the specification and developing documentation, templates, samples and tools.

The Technical Team meets weekly on

Tuesdays at 17:00 UTC (and best guess for local time - 10:00AM PDT, 11:00 MDT, 12:00PM CDT, 1:00PM EDT, 18:00 WAT, 19:00 CEST).
Optional dial in number: +1-415-881-1586
No PIN needed

Screenshare:
http://uberconference.com/SPDXTeam

* [[Technical_Team/SPDX_Upcoming_Meetings|SPDX Upcoming Meeting Agenda]]
* [[Technical_Team/SPDX_Specification_Versions|SPDX Specification Versions]]
* [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms|SPDX RDF Vocabularies and Terms]]
* [[Technical_Team/Minutes|Meeting Minutes for the Technical Team]]
* [[Technical_Team/Priorities|Current Priorities and Work in Progress for the Technical Team]]
* [[Technical_Team/Old|Older Items for the Technical Team]]
* [[Technical_Team/Field_Names|Field Names]]
* [[Technical_Team/Spreadsheet_Template|Spreadsheet Template]]

[[Category:Technical]] [[Category:TestCategory]]

Technical Team/Minutes/2017-06-27

2017-07-11T18:46:17Z

K.stewart: remove some extra whitespace

June 27, 2017
== Attendees ==
* Gary O’Neall
* Thomas Steenberg
* Anna Buhman
* Krys Nuvadga
* Alexios Zavras
* Yev Bronshteyn
* Uday Korlimarla
* Kate Stewart
* Aleksandr Lisianoi
* Rohit Lodha
* Philippe Ombredanne

==GSoC Updates==
* Rohit – online tools
** Verification complete
** Conversion tools nearly complete
** Would like to improve the Java tools to report line numbers for more validation errors
** May complete the work before end of August and would like to contribute to the Java tools if complete early
* Alex
** Transpiling to JavaScript
** Working on the Boolean expressions to support license expressions
** Would like to produce NPM package
* Krys
** License scoring project
** Able to get information from spec
** Target working prototype by start of next week
** Detailed information in the repo
** Using the DJango framework
** Philippe suggested getting the code working outside the framework first, then add a web framework
** Philippe suggested having more SPDX examples
* Anna
** Github SPDX integration – scans automatically
** Working on pull request approach to put SPDX document back into Repository
*** Philippe suggested having a github user for the server to create the pull requests
*** Gary suggested making that user configurable
*** This could also help with private repositories where the user configured could have access – but we agreed that private repos would not be in scope for this week
==Update on Spec Repository==
* Thomas is working on OpenChain as well
* Travis CI is still failing – Thomas is working on the last bug
* Intent is to build all types of documents automatically (HTML, PDF, etc.)
* Problem has to do with permissions
==Next SPDX Specification==
* Discussed Yev’s proposal for more concise representation of relationships
** Agreed to pursue approach
** Yev will provide definitions (added to end of google docs)
* Discussed alternative package alias proposal from Thomas – Agreed this is useful
** Discussed whether to just change the cardinality of name to be multiple
** Agreed on the additional name approach rather than changing the cardinality
** Discussed alternateName or packageAlternateName – tag/value would be packageAlternateName, RDF would be alternateName
** Discussed if we still need to require packageName if alternateName is provided – agreed to require packageName for compatibility reasons
** Does alternatative name apply to other SPDX element?
*** Could be useful for license names – follow-up with legal team
*** Snippet names – not useful
*** Document names – not useful
*** File names – could be useful, but a different semantic and would be treated differently

[[Category:Technical|Minutes]]
[[Category:Minutes]]

General Meeting/Minutes/2017-06-01

2017-06-01T15:39:28Z

K.stewart: /* Tech Team Report - Kate/Gary */

* Attendance: 9
* Lead by Phil Odence
* Minutes of May meeting approved

== Tech Team Report - Kate/Gary ==

* Good progress on getting spec to GitHub
** Should have a new version within the next month
** Will be adapting processes to new source
* Substantively working though list of items for next release
** Still up in the air whether we will go to a 2.2 or directly to 3.0
*** Need to resolve by Aug
*** 2.2 candidates- clean up appendices for license list work, a few additional fields
** 3.0 will imply compatibility issues
** Timeframe depends on above, but likely 2018 in any case
* Summer of Code
** A number of students have started
** Participation in Tech Calls
** One just starting to commit to GitHub
* Tooling
** Moving apace
* News- Someone from IBM mentioned they are using SPDX short identifiers internally (at OSCON event).

== Legal Team Report - Jilayne/Paul ==

* Lots of activity
* XML work still underway; Gary supporting with tooling
* Other large threads
** Discussion about how to deal with licenses that have been translated
*** There is a default policy with which we’ve been consistent
*** Re-looking into this in light of new XML stuff and need for automated matching
*** JL started a Wiki page to pull together all the proposals
** Kate/JL reached out to FSF
*** For rallying support
*** Issue: how we represent license and “or later” with the syntax sometimes goes unnoticed
**** Perhaps recasting as a separate v2 only license is a better way to handle
**** But there are implications we need to think through

== Outreach Team Report ==

* Basically we are still working on a proposal for how to allow tools to get a badge or certification for working with SPDX documents
* and an umbrella project for Github for all of our projects out there.
* Kate- also looking to create an archive of past projects which are no longer active
* Bakeoff at LinuxCon Europe (October in Prague) is likely.
** Working on test suite to be available for this.

== Attendees ==

* Phil Odence, Black Duck
* Paul Madick, Dimension Data
* Michael Herzog- nexB
* Jilayne Lovejoy, ARM
* Kate Stewart, Linux Foundation
* Bradlee Edmondson, Harvard
* Gary O’Neall, SourceAuditor
* Alexios Zavras, Intel
* Mike Dolan, Linux Foundation

[[Category:General|Minutes]]
[[Category:Minutes]]