SPDX Wiki - User contributions [en]

General Meeting

2014-11-18T22:40:03Z

MartinMichlmayr: Link to minutes rather than latest minutes since latest minutes are broken

This is the working area for the General Team. This team has primary responsibility for summarizing the activities of the three working teams and discussing cross-functional issues. The minutes of this monthly meeting provide a good summary of what's going on across the SPDX group, so signing up for the General Meeting mailing list is a good way to stay in touch.

The General Team meets on the first Thursday of every month at 16:00 GMT (8:00AM PT, 9:00AM MT, 10:00AM CT, 11:00ET).
Dial-in number: 1.877.435.0230 (US and Canada) or 1.253.336.6732 (International)
Conference code: 7812589502

* [[General_Meeting/Priorities|Current Priorities]]
* [[General_Meeting/Minutes|Meeting Minutes]]
* [[General_Meeting/Presentation_Materials|Presentation Materials]]
* [[General_Meeting/Old|Older Items]]

[[Category:General]]

Technical Team/Minutes

2014-07-16T15:00:59Z

MartinMichlmayr: switch kidsonly to no

{{#subpages:|format=ul|kidsonly=no|pathstyle=none|sort=desc}}

[[Category:Technical|Minutes]]
[[Category:Minutes]]
[[Technical Team/Minutes/CollabSummitPhotos|White Boards from Collab Summit]]

Legal Team/Minutes

2014-07-16T14:58:38Z

MartinMichlmayr: switch kidsonly to no

{{#subpages:|format=ul|kidsonly=no|pathstyle=none|sort=desc}}

[[Category:Legal|Minutes]]
[[Category:Minutes]]

General Meeting/Latest Minutes

2014-07-16T14:35:43Z

MartinMichlmayr: switch kidsonly to no

These are the latest meeting minutes for the General Meeting.

{{#subpages:|page=General_Meeting/Minutes|format=ul|kidsonly=no|pathstyle=none|sort=desc|limit=5}}

A [[General_Meeting/Minutes|complete list of minutes]] is available too.

General Meeting/Minutes

2014-07-16T14:35:17Z

MartinMichlmayr: switch kidsonly to no

These are the meeting minutes and decisions for the General Meeting.

{{#subpages:|format=ul|kidsonly=no|pathstyle=none|sort=desc}}
[[Category:General|Minutes]]
[[Category:Minutes]]

Business Team/Launch/1.1

2013-09-05T13:10:29Z

MartinMichlmayr: Fix link to 1.0 press release

[http://lcna2012.sched.org/event/d6abd8bb5f87585c538181d3dce0825f?iframe=yes&w=900&sidebar=yes&bg=no#sched-body-outer LinuxCon SPDX Panel Discussion]

[[Business_Team/Launch/1.0/Press_Release|SPDX 1.0 Press Release]]

[http://www.linuxfoundation.org/news-media/announcements/2012/08/linux-foundation%E2%80%99s-spdx%E2%84%A2-workgroup-releases-new-version-software SPDX 1.1 Press Release]

Press Release Content

The SPDX workgroup, hosted by The Linux Foundation, today announced the release of version 1.1 of its Software Package Data Exchange (SPDX™) standard.

* Expanded license list -- 12new licenses added in the 1.1 release and we now have a process in place to accomodate new license requests.
* OSI announces that is has adopted SPDX short identifiers (quote and pointer)
* Based on feedback from the community the SPDX data license was changed from PddL to CC0. (get a quote from Karen C)
* Summary of changes from 1.0 to 1.1. (Kate)
* Talk about the availability of both commercial and open source tools that support SPDX.

A key enabler to the adoption of SPDX is tooling to automate the production of SPDX files and we are pleased to see both commercial and open source projects stepping up to this challenge.

Reach out to commercial vendors for quotes:

* Antelink
* Blackduck
* OpenLogic
* NexB
* Palamida
* Protecode

Reach out to Open Source projects for quotes:

* UNO Fossology project (Matt Germonprez)
* Source Auditor (Gary ONeall)
* University of Victoria (Daniel German)

[[Category:Business]]
[[Category:Archived]]

Business Team/Launch/1.0/Press Release

2013-09-05T13:09:31Z

MartinMichlmayr: Add 1.0 press release from old site

'''SPDX Workgroup Releases Software Package Data Exchange Standard to Widespread Industry Support'''

''Standard format for communicating open source license and copyright information throughout supply chain ensures better, easier compliance''

LINUXCON, Vancouver, B.C., August 17, 2011 – The SPDX workgroup, hosted by The Linux Foundation, today announced the release of version 1.0 of its Software Package Data Exchange (SPDX™) standard.

The SPDX standard helps facilitate compliance with free and open source software licenses by standardizing the way license information is shared across the software supply chain. SPDX reduces redundant work by providing a common format for companies and communities to share important data about software licenses and copyrights, thereby streamlining and improving compliance.

SPDX was developed with participation by a wide range of industry and open source community heavyweights, including: Alcatel-Lucent, Antelink, Black Duck Software, Canonical, HP, Micro Focus, Motorola Mobility, nexB Inc, OpenLogic, Palamida, Protecode, Source Auditor, Texas Instruments and Wind River. Participants in the SPDX beta program included Antelink, HP, Motorola Mobility, Texas Instruments and Wind River.

“The SPDX 1.0 standard is an example of how open compliance and collaboration can enable the advancement of Linux and open source software,” said Jim Zemlin, executive director of The Linux Foundation. “We applaud the SPDX workgroup for its important work on providing a consistent way to report and view license information for software technology components, making it even easier for companies to maximize their investments in free and open source software.”

Most technology products today are assembled from multiple components that contain free and open source software, as well as commercial software; these components are created, delivered, and received by companies throughout the supply chain. Because of the distributed nature and complexity of the global software supply chain, it has become cumbersome and time consuming for each organization to prepare the license information for these components in the multiple distinct formats prescribed by others in their supply chain.

By enabling communities and companies to provide license information in a common format that can be easily analyzed and shared, the SPDX standard helps to accelerate the adoption of Linux and other free and open source software across industries, including the consumer electronics marketplace, by easing the burden of compliance through transparent sharing of license information.

“Today we’re seeing collaboration among industry experts come to fruition in SPDX 1.0,” said Esteban Rockett, co-founder of SPDX and lead software counsel at Motorola Mobility (an SPDX beta participant). “Representatives from the community, vendors and companies that use open source have come together to deliver a standard, accompanied with tools, that will make it easier to determine and comply with license obligations in a software bill of materials. This reduces compliance anxiety and costs, and further accelerates the adoption of Linux and other free and open source software.”

“The announcement of the initial release of the SPDX standard is a welcome event, because SPDX is a crucial building block in an industry-wide system of automated license compliance administration,” said Eben Moglen, executive director of the Software Freedom Law Center. “The efforts of the SPDX workgroup will ultimately help to realize large cost savings for all parties making commercial use of embedded FOSS, as well as substantially increased assurance of license compliance for FOSS licensors.”

The SPDX standard defines a standard file format that lists detailed license and copyright information for a software package and each file it comprises. The SPDX community has also provided open source tools to convert SPDX files to and from spreadsheet formats.

Visit the SPDX website for more details on what is in the SPDX standard or to participate in the SPDX community: www.spdx.org.

A video overview of SPDX is available at http://www.linuxfoundation.org/programs/legal/compliance/webinars/introduction-to-spdx

'''Widespread Industry Support for SPDX 1.0'''

'''Antelink''' 
“SPDX gives us an easy way to get data about licenses in open source projects,” said Guillaume Rousseau, CEO, Antelink. “As a participant in the SPDX beta program, we have found the SPDX specification to be simple, straightforward and easy to work with. We’re very happy to support the SPDX efforts, and look forward to implementing SPDX 1.0 in our search engine of open source files!”

'''Black Duck Software''' 
“Black Duck’s mission is to enable open source adoption while automating governance and compliance. SPDX is completely aligned with this mission, and so from the outset, we have been eager to invest our resources and expertise in the initiative,” said Phil Odence, vice president of Business Development, Black Duck Software.

'''Canonical''' 
“We look forward to the opportunity of working with upstream projects using SPDX and/or DEP5 to make it easier to understand the licensing associated with those projects,” said Kate Stewart, Ubuntu Release Manager.

'''Debian''' 
“Having a consistent way to describe licenses that’s shared by Debian’s DEP5 and the SPDX working group will help the entire ecosystem provide accurate licensing information for open source projects,” said Steve Langasek, Debian DEP5 co-editor.

'''Fedora''' 
“Fedora is pleased to have participated in the development of the SPDX specification. SPDX will help shine a light on Free and Open Source Software licensing,” said Tom “spot” Callaway, Fedora Engineering Manager.

'''HP''' 
“Open source is an extremely valuable asset to HP and the technology industry. With so many open source components throughout the software supply chain, organizations need a common format to simplify their license compliance efforts,” said Phil Robb, director, HP Open Source Program Office. “By streamlining the process, the SPDX standard addresses how license information is shared, while reducing the risks and costs of compliance for organizations. This represents the next step of industry-wide due diligence to ensure the ongoing success of open source into the future by respecting the rights and wishes of its authors.”

'''Micro Focus''' 
“The broad adoption of SPDX by independent software vendors will substantially reduce the overhead involved in open source adoption and compliance,” said Thomas Incorvia, vice president of Product Licensing at Micro Focus.

'''nexB Inc.''' 
“SPDX 1.0 is a crucial first step toward establishing the processes and tools that will support the application of supply chain best practices to component-based software development,” said Michael Herzog, CEO of nexB Inc. “It will assist organizations of all sizes and types in their efforts to comply with open source license obligations, and it also provides a solid building block for managing other types of software license data in the future.”

'''OpenLogic''' 
“As we work with enterprises to help them comply with open source licenses, one of the challenges they face is getting a complete understanding of what open source licenses are included in their products. SPDX will provide an important step forward by standardizing the way that licenses information is communicated and sharing that information across the software supply chain,” said Kim Weins, senior vice president of Marketing at OpenLogic. “Our audit and scanning tools will support the SPDX spec to help automate these compliance processes.”

'''OSI''' 
“We applaud the work of the SPDX working group on helping to simplify and standardize references to software licenses and build on the naming work that OSI’s volunteers were already doing. OSI has already adopted SPDX in the definitive list of licenses at http://opensource.org/licenses,” said Michael Tiemann, president, the Open Source Initiative (OSI). “The SPDX workgroup has leveraged more than a decade of the work at OSI in reviewing licenses for their impact on software freedom. By using the SPDX set of standard short-form license names, the entire open source ecosystem will be able to communicate in a consistent manner, especially to identify and avoid code under SPDX-identified licenses that are not OSI-approved.”

'''Protecode''' 
“SPDX will enable more organizations to freely use open source software in their products and streamline the license compliance process. Having a standard in place will benefit both the Linux and open source communities as a whole. All of our System 4 products will fully support SPDX 1.0,” Kamal Hassin, VP of Product Management, Protecode.

'''Source Auditor''' 
“Source Auditor is pleased to be a contributor to SPDX specification and tools,” said Gary O’Neall, CEO of Source Auditor. “By incorporating SPDX into our processes and tools, we will enable our customers and their suppliers to reduce the cost and complexity of complying with open source license obligations.”

'''Texas Instruments''' 
“SPDX is a great resource that allows TI to understand all licensing information for the open source components of our software packages,” said Jack Manbeck, manager, Open Source Review Board, TI. “TI is committed to providing customers with full knowledge of all components included in TI software packages and assuring compliance with all applicable open source licenses. SPDX enables us to do this quickly, efficiently and cost-effectively.”

'''Wind River''' 
“SPDX is another step towards advancing Linux and open source software in embedded markets,” said Paul Anderson, vice president of marketing and strategy for Linux products at Wind River. “As an active participant in both the SPDX workgroup and Beta program, Wind River has developed a strong understanding and appreciation of how SDPX can benefit embedded device vendors. SPDX can ease compliance by standardizing the way license and copyright information is shared across the entire supply chain.”

'''About SPDX''' 
The Software Package Data Exchange® (SPDX™) specification is a standard format for communicating the components, licenses and copyrights associated with a software package. This SPDX Community is a workgroup sponsored by The Linux Foundation and associated with FOSSBazaar. The specification has been adopted as one of the key elements of the Linux Foundation’s Open Compliance Program. Further, the SPDX naming conventions are now in use at the industry’s repository of record for open source licenses, maintained by the Open Source Initiative at http://opensource.org/licenses. The SPDX specification itself is under the Creative Commons Attribution License 3.0. For more information about SPDX, please visit: http://spdx.org/

'''About The Linux Foundation''' 
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux. Founded in 2007, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system by marshaling the resources of its members and the open source development community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Linux conferences, including LinuxCon, and generating original Linux research and content that advances the understanding of the Linux platform. Its web properties, including Linux.com, reach approximately two million people per month. The organization also provides extensive Linux training opportunities that feature the Linux kernel community’s leading experts as instructors. Follow The Linux Foundation on Twitter.

Trademarks: The Linux Foundation and SPDX are trademarks of The Linux Foundation. Linux is a trademark of Linus Torvalds.

Legal Team/Priorities

2013-07-10T14:52:21Z

MartinMichlmayr: add link

Additional information related to current priorities and work in progress is stored here. More information about these items may also be captured in the relevant meeting minutes.

* [[Legal_Team/License_List/Licenses_Under_Consideration|Licenses Under Consideration]]
* [[Legal_Team/License_List/License-templates|License templates]]
* [[Legal_Team/Current_Projects_and_Issues|Current Projects and Issues]]

[[Category:Legal]]

Technical Team/Minutes/2013-05-07

2013-05-15T10:02:40Z

MartinMichlmayr: Remove redundant info

== Attendees ==
* Gary O’Neall
* Bill Schineller
* Kate Stewart
* Marshall Clow
== Agenda ==
* Review of plugfest results
==Review of plugfest results==
* Concluded/asserted license inconsistency (bug 1114) – need to send over to legal [Gary to forward on to Jilayne]
* Convention for file path – need best practice document – Added bug
* Need to add a 1.2 release for the bugs database – Kate will add
* Need to change default owner from Peter Williams for bugs database – Kate will update
* Extracted license text – do we need to add another field for the complete text? Need a discussion. Added a documentation bug.
* Add “old style MIT’ license to license list – found in install.sh license. Added a bug.
* GPL 2.0 and GPL 2.0 and Later have identical standard license text – bug added
* Add header to the standard license list – suggested for 1.2 – bug added 1121
* Different between SPDX document authors vs. reviewer – added bug for usage guidelines
* Use of ArtifactOf clarify the use – bug added for usage guidelines
* Clarify the use of parenthesis for non-compound licenses (e.g. “(GPL-2.0)”) – bug added
Stopped at middle of page 5

Technical Team/Minutes/2013-05-14

2013-05-15T10:02:18Z

MartinMichlmayr: Remove redundant info

== Attendees ==
* Gary O’Neall
* Bill Schineller
* Kate Stewart
* Kirsten Newcomer
* Michael Herzog
== Agenda ==
* Review of plugfest results
==Review of plugfest results==
* ArtifactOf best practices – documentation bug added
* Reviewer – not sure what this issue was – request more information from the distribution list, if no one remembers we will drop – Kate to send out email
* Download location – Best practice should point to location that is likely to be preserved – file level locations may go away, git locations are likely to be preserved – document best practice bug
* Home page URL – enhancement to add a second URL which is the project home page – bug added
* Once the home page URL is implemented, we should revisit the download location. The best practice may be to be specific to the file location even though the URL may go away. – documented in the download location documentation bug
* Sorting filenames – documented best practice for SPDX Tag/Value format files; added bug for SPDX tools to follow the best practice
*4.14 in 1.1 is copyright text aggregated from all files, proposal to add an optional field for package level copyright if it exists
* Field on file for notices – bug added for enhancement
* License ref – assign name. Would need some way to make unique. Bug added for enhancement. General consensus that this would be a 2.0 item.
[[Category:Technical|Minutes]]
[[Category:Minutes]]

Business Team/Minutes/2013-05-02

2013-05-09T20:09:06Z

MartinMichlmayr: Typo fix

== Attendees ==

* Jack Manbeck
* Mark Gisi
* Gary O'Neall
* Phil Odence
* Pierre Lapointe
* Matt Germonprez
* Jilayne Lovejoy
* Mike Dolan

== Agenda ==

# Survey update – Phil
# Requirements capture worksheet update – Mark
# Documents we are working on
## Consuming SPDX – Jack
## Producing SPDX - ? (okay I forgot who volunteered for this)
## Umbrella SPDX document – Mark
# Any other business

== Notes ==

=== Survey Update ===
* We had about 20 some responses so far.
* Phil will send out a summary of survey results to the business team. The summary will not have names or companies as the survey was confidential.
* There was discussion on how long to leave the survey open. general consensus was that we leave it open until we hit a wall where we do not seem to be getting any new responses in.
* Mike Dolan from the LF said they were going to send out a newsletter and they could include the survey link and a blurb. Phil was going to email him the information.
* As the results need to be confidential, we can do a summary report after all the results are in and see what is actionable for SPDX.
* Survey results on their raw form will not be part of the requirements collection we are doing due to the anonymity clause. The idea was that if you did not include a business or user name then the survey was confidential but it may not have been clearly explained. Therefore, if either are entered the results will be treated as anonymous.
* Scott will also send out a link to the survey on the European Legal network mailing list.

=== Requirements Worksheet ===

* Mark had not started yet, too busy with the prep for Collab.
* Debated whether requirements should be kept on wiki or on something like Google Docs for now. It was decided to use Google Docs for the raw data. At some point once the information was massaged it could be moved to the wiki.

=== Umbrella Document ===

* Mark is about 3/4 of the way done with this.

=== Consuming SPDX Document ===

* No update on this as Jack was busy with planning and prep for Collab.
* Matt offered to help Jack with the document. he suggested that it include real business use cases of people consuming SPDX. It was a good idea and will be incorporated.
* It was suggested that the documents share a common structure. Jack to send something out on that for the next meeting.

=== Producing SPDX ===

* It seems Scott was the one who volunteered to drive the producing document. No update as Scott was busy with Collab.

=== Other Business ===

* Jack really needs to update the calendar invite with the right call in code.
* Mike Dolan from the Linux Foundation will be our new contact.
* Matt said OpenMAMA will start using SPDX. he will be working with them

[[Category:Business|Minutes]]
[[Category:Minutes]]

Business Team/Minutes/2013-05-02

2013-05-09T20:08:48Z

MartinMichlmayr: Fix MediaWiki syntax

== Attendees ==

* Jack Manbeck
* Mark Gisis
* Gary O'Neall
* Phil Odence
* Pierre Lapointe
* Matt Germonprez
* Jilayne Lovejoy
* Mike Dolan

== Agenda ==

# Survey update – Phil
# Requirements capture worksheet update – Mark
# Documents we are working on
## Consuming SPDX – Jack
## Producing SPDX - ? (okay I forgot who volunteered for this)
## Umbrella SPDX document – Mark
# Any other business

== Notes ==

=== Survey Update ===
* We had about 20 some responses so far.
* Phil will send out a summary of survey results to the business team. The summary will not have names or companies as the survey was confidential.
* There was discussion on how long to leave the survey open. general consensus was that we leave it open until we hit a wall where we do not seem to be getting any new responses in.
* Mike Dolan from the LF said they were going to send out a newsletter and they could include the survey link and a blurb. Phil was going to email him the information.
* As the results need to be confidential, we can do a summary report after all the results are in and see what is actionable for SPDX.
* Survey results on their raw form will not be part of the requirements collection we are doing due to the anonymity clause. The idea was that if you did not include a business or user name then the survey was confidential but it may not have been clearly explained. Therefore, if either are entered the results will be treated as anonymous.
* Scott will also send out a link to the survey on the European Legal network mailing list.

=== Requirements Worksheet ===

* Mark had not started yet, too busy with the prep for Collab.
* Debated whether requirements should be kept on wiki or on something like Google Docs for now. It was decided to use Google Docs for the raw data. At some point once the information was massaged it could be moved to the wiki.

=== Umbrella Document ===

* Mark is about 3/4 of the way done with this.

=== Consuming SPDX Document ===

* No update on this as Jack was busy with planning and prep for Collab.
* Matt offered to help Jack with the document. he suggested that it include real business use cases of people consuming SPDX. It was a good idea and will be incorporated.
* It was suggested that the documents share a common structure. Jack to send something out on that for the next meeting.

=== Producing SPDX ===

* It seems Scott was the one who volunteered to drive the producing document. No update as Scott was busy with Collab.

=== Other Business ===

* Jack really needs to update the calendar invite with the right call in code.
* Mike Dolan from the Linux Foundation will be our new contact.
* Matt said OpenMAMA will start using SPDX. he will be working with them

[[Category:Business|Minutes]]
[[Category:Minutes]]

General Meeting/Minutes/2013-04-CollabSummit

2013-04-27T11:44:41Z

MartinMichlmayr: Improve formatting

'''COLLABORATION SUMMIT SUMMARY'''

For those of you who didn’t make it to the Collaboration Summit, below is a summary of the different components of the event. It was pretty inspiring in a number of ways…for me, it felt like the rubber is finally meeting the road seeing real tools—our own, from academia, and commercial—putting out real live SPDX docs. The every positive KarenC summed it up as “The discussions have much more of a feeling that this has to happen – the only questions are around how.” And I agree.

All the team leads did an outstanding job organizing our ever expanding involvement in Linux event. (Now we even get our own track.) Gary, MarkG and Adam were also key in pulling this off.

== Tech Team Working Session ==

In this session we went through the current model proposal for 2.0, and discussed options that would simplify the model, and still meet the use cases we're targeting. We were also able to start off the relationship and element usage enumerations. Full details can be found at: [[Technical_Team/Minutes/2013-04-16]].

== Legal Team Working Session ==

The SPDX Legal Team met at the LF Collab Summit to hash out the remaining bits of the License Matching guidelines. Namely whether SPDX should provide "guidelines only" in regards to what is to be considered substantive text of a license for matching purposes or whether SPDX should go further and provide some kind of actual markup or examples in regards to text than can be ignored or considered "replaceable" for matching purposes. And, if the latter, to what extent and in what format to provide such markup or examples. The legal team, with good representation from various tool makers and tech team members, decided that markup was needed to avoid potential differences in interpretation by tool makers. It was decided to use simple markup that could be illustrated within a .txt file, as that is the (mostly) preferred download format for the licenses. The exact details of the markup are being worked out and the Legal Team (with help from anyone else in the SPDX Workgroup) will manage getting the markup created for the entire current SPDX License List.

== Open SPDX Discussion ==

Mark Gisi from Windriver and Adam Cohn from Cisco held this session on Tuesday afternoon. It was held under Chatham House Rules which means “When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.”. Now before you say hey you just said you weren’t supposed to mention names, these two were the chairs as listed on the SPDX schedule.There was a lot of good discussion. One individual talked about how they are fully integrating SPDX into what they their company delivers and how they are shipping, and I believe the number was, over 500 SPDX documents with each release. They also had a website for generating SPDX documents. Others talked about how they have started to integrate SPDX into their compliance process using it for reviews but not yet quite shipping. The reasons seemed to vary for that but they appeared to be more procedural than SPDX related. One individual did raise a concern on the amount of time that it might take to generate SPDX documents adding that it increased the cost of their compliance it was not something they could do. A few individuals talked about the adoption of SPDX among open source projects. There was some discussion on how this could be done now as there are a few open source tools that have appeared to generate SPDX documents. One individual talked about how they would like to see SPDX become more fully integrated into the community meaning that practices normally associated with an open source project such as peer review and so forth were used and considered part of the process of generating, reviewing and editing SPDX documents.

== SPDX Morning Sessions ==

Mark Gisi (the man that Scott calls “the spiritual leader of SPDX adoption”) kicked off the morning with License to Kill…You Code, a very cogent treatise on why it’s important for copyright holders to get it right if they want their projects to thrive.
Then Gary “the Toolman” O’Neall lead a panel on Tooling up for SPDX. He gave an over view of group, community and commercial tools that are now compatible with SPDX. Gary was joined by Matt Germonprez of the University of Nebraska Omaha and Sameer Ahmed from Wind River Systems who both talked in some detail about work their groups have done to “tool up.”
Conclusion: This stuff is real! And to prove it…

== SPDX Bakeoff ==

The SPDX Bakeoff was held Wednesday afternoon. Our main objective was to compare SPDX output from different tools in order to identify bugs and resolve different interpretations of the specification. We had great representation from the various tool providers, members of the SPDX working group, and a number of other interested parties. Gary O’Neall’s excellent spreadsheet comparison tool was used as the basis for comparison of the various SPDX files. Per the agenda, we first stepped through the complete Time package on a file by file basis. Following that we dove into Busybox but only at the package level. There was a lot good discussion and yes we did find some bugs in the tools and areas where the specification needs to be improved. All in all it was a very productive session and should serve to advance the adoption of SPDX. The spreadsheet along with notes from the session are captured on in this Google doc folder: https://drive.google.com/?tab=mo&authuser=0#folders/0BxKdX878M2HCTlZIbkZSMXN6SGc

General Meeting/Minutes/2013-04-CollabSummit

2013-04-27T11:43:37Z

MartinMichlmayr: Use internal link

'''COLLABORATION SUMMIT SUMMARY'''

For those of you who didn’t make it to the Collaboration Summit, below is a summary of the different components of the event. It was pretty inspiring in a number of ways…for me, it felt like the rubber is finally meeting the road seeing real tools—our own, from academia, and commercial—putting out real live SPDX docs. The every positive KarenC summed it up as “The discussions have much more of a feeling that this has to happen – the only questions are around how.” And I agree.

All the team leads did an outstanding job organizing our ever expanding involvement in Linux event. (Now we even get our own track.) Gary, MarkG and Adam were also key in pulling this off.

'''Tech Team Working Session'''

In this session we went through the current model proposal for 2.0, and discussed options that would simplify the model, and still meet the use cases we're targeting. We were also able to start off the relationship and element usage enumerations. Full details can be found at: [[Technical_Team/Minutes/2013-04-16]].
Legal Team Working Session
The SPDX Legal Team met at the LF Collab Summit to hash out the remaining bits of the License Matching guidelines. Namely whether SPDX should provide "guidelines only" in regards to what is to be considered substantive text of a license for matching purposes or whether SPDX should go further and provide some kind of actual markup or examples in regards to text than can be ignored or considered "replaceable" for matching purposes. And, if the latter, to what extent and in what format to provide such markup or examples. The legal team, with good representation from various tool makers and tech team members, decided that markup was needed to avoid potential differences in interpretation by tool makers. It was decided to use simple markup that could be illustrated within a .txt file, as that is the (mostly) preferred download format for the licenses. The exact details of the markup are being worked out and the Legal Team (with help from anyone else in the SPDX Workgroup) will manage getting the markup created for the entire current SPDX License List.

'''Open SPDX Discussion'''

Mark Gisi from Windriver and Adam Cohn from Cisco held this session on Tuesday afternoon. It was held under Chatham House Rules which means “When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.”. Now before you say hey you just said you weren’t supposed to mention names, these two were the chairs as listed on the SPDX schedule.There was a lot of good discussion. One individual talked about how they are fully integrating SPDX into what they their company delivers and how they are shipping, and I believe the number was, over 500 SPDX documents with each release. They also had a website for generating SPDX documents. Others talked about how they have started to integrate SPDX into their compliance process using it for reviews but not yet quite shipping. The reasons seemed to vary for that but they appeared to be more procedural than SPDX related. One individual did raise a concern on the amount of time that it might take to generate SPDX documents adding that it increased the cost of their compliance it was not something they could do. A few individuals talked about the adoption of SPDX among open source projects. There was some discussion on how this could be done now as there are a few open source tools that have appeared to generate SPDX documents. One individual talked about how they would like to see SPDX become more fully integrated into the community meaning that practices normally associated with an open source project such as peer review and so forth were used and considered part of the process of generating, reviewing and editing SPDX documents.

'''SPDX Morning Sessions'''

Mark Gisi (the man that Scott calls “the spiritual leader of SPDX adoption”) kicked off the morning with License to Kill…You Code, a very cogent treatise on why it’s important for copyright holders to get it right if they want their projects to thrive.
Then Gary “the Toolman” O’Neall lead a panel on Tooling up for SPDX. He gave an over view of group, community and commercial tools that are now compatible with SPDX. Gary was joined by Matt Germonprez of the University of Nebraska Omaha and Sameer Ahmed from Wind River Systems who both talked in some detail about work their groups have done to “tool up.”
Conclusion: This stuff is real! And to prove it…

'''SPDX Bakeoff'''

The SPDX Bakeoff was held Wednesday afternoon. Our main objective was to compare SPDX output from different tools in order to identify bugs and resolve different interpretations of the specification. We had great representation from the various tool providers, members of the SPDX working group, and a number of other interested parties. Gary O’Neall’s excellent spreadsheet comparison tool was used as the basis for comparison of the various SPDX files. Per the agenda, we first stepped through the complete Time package on a file by file basis. Following that we dove into Busybox but only at the package level. There was a lot good discussion and yes we did find some bugs in the tools and areas where the specification needs to be improved. All in all it was a very productive session and should serve to advance the adoption of SPDX. The spreadsheet along with notes from the session are captured on in this Google doc folder: https://drive.google.com/?tab=mo&authuser=0#folders/0BxKdX878M2HCTlZIbkZSMXN6SGc

Technical Team/Minutes/2013-04-23

2013-04-24T13:17:13Z

MartinMichlmayr:

== Attendees ==

* Gary O’Neall
* Bill Schineller
* Kirsten Newcomer
* Kate Stewart
* Jack Manbeck
* Michael Herzog
* Marshall Clow
== Agenda ==
* Review of changes to Model
* 1.2 release
== Review of model ==
* Update model page to better reflect
* Additional Usage enumeration for contrib library use case – “Optional”
== Review of the plugfest results ==
* 1.2 ideas
** RDF is case sensitive
* 2.0 ideas
** Do we want to add a package home page (may different from the download location)?
* Tools ideas
** Compare utility – using file checksums instead of file names
** Update tag to RDF to be case insensitive on the tag values
* Usage convention
** Version should generally not be in the name but in the version fields unless it is part of the formal names
** Originator/supplier/source info clarifications
** Download location – use of mirrors
** Concluded license conventions – use of conjunctive licenses even when the licenses may contradict (depending on interpretation)
* Legal Team
** For concluded license – if incompatible licenses are found, should we state the licenses in the conjunctive form

[[Category:Technical|Minutes]]
[[Category:Minutes]]

Technical Team/Proposals/2012-02-01/Merged Model Proposal

2013-04-24T13:08:26Z

MartinMichlmayr: Use internal link

Below is a class diagram merging Ed Warnicke's proposed SPDX Element model with the 1.0 model. Definately a work in progress. Most of the class definitions can be found in the 1.0 spec in the RDF appendix (model) or in [[Technical_Team/Proposals/Rough_proposal_for_provenance,_hierarchy_and_aggregation,_and_supply_chain_friendliness_in_SPDX_2.0|Ed's proposal]].

The goals of this proposal are to:

* Support the use cases for the 2.0 spec
* Support the supply chain use cases
* Support the "hierarchical" or embedded package use cases
* Provide a more abstract model which can simplify the application of SPDX to some of the more complex use cases

This proposal extends the existing proposals by adding an SPDX Element Relationship which describes the type of relationship from one SPDX element to another.

See the attached document for the mapping between the SPDX 1.0 properties and this proposal.

See the attached document for a proposal on creating RDF references to other Licensable documents which can be verified through checksums.

Model updated per minutes of 2013 Linux Collab Summit: [[Technical_Team/Minutes/2013-04-16]]

[[Image:Model-4-16-2013.png|909px|Class Diagram]]

[[Category:Technical]]

Technical Team/Minutes/2013-04-23

2013-04-24T13:06:54Z

MartinMichlmayr: Fix MediaWiki syntax

== Attendees ==

* Gary O’Neall
* Bill Schineller
* Kirsten Newcomer
* Kate Stewart
* Jack Manbeck
* Michael Herzog
* Marshall Clow
== Agenda ==
* Review of changes to Model
* 1.2 release
== Review of model ==
* Update model page to better reflect
* Additional Usage enumeration for contrib library use case – “Optional”
== Review of the plugfest results ==
* 1.2 ideas
** RDF is case sensitive
* 2.0 ideas
* Do we want to add a package home page (may different from the download location)?
* Tools ideas
** Compare utility – using file checksums instead of file names
** Update tag to RDF to be case insensitive on the tag values
* Usage convention
** Version should generally not be in the name but in the version fields unless it is part of the formal names
** Originator/supplier/source info clarifications
** Download location – use of mirrors
** Concluded license conventions – use of conjunctive licenses even when the licenses may contradict (depending on interpretation)
* Legal Team
** For concluded license – if incompatible licenses are found, should we state the licenses in the conjunctive form

[[Category:Technical|Minutes]]
[[Category:Minutes]]

Wiki Conventions

2013-04-12T12:53:14Z

MartinMichlmayr: Update link to getting started page

This page describes conventions that should be followed on the SPDX wiki. You can also read the page on [[Getting started with the SPDX wiki|getting started]].

== SubPages ==

This wiki uses subpages to provide a hierarchy. For example, the minutes for the business team are located under <code>Business Team/Minutes</code>.

When you add a new page, please make sure to use the correct hierarchy. If you want to create a new business related page, choose <code>Business Team/name of page</code> If you'd like to add new business minutes, add them as <code>Business Team/Minutes/YYYY-MM-DD</code>

== Categories ==

We use [[Special:Categories|categories]] to organize pages. You should add one of these categories at the bottom of each new page:
* <nowiki>[[Category:Business]]</nowiki>
* <nowiki>[[Category:General]]</nowiki>
* <nowiki>[[Category:Legal]]</nowiki>
* <nowiki>[[Category:Technical]]</nowiki>

== Adding minutes ==

The list of minutes is updated automatically but this requires minutes to be added in the right location. Please use <code>XXX Team/Minutes/YYYY-MM-DD</code> for new minutes.

Additionally, minutes should have the category <nowiki>[[Category:Minutes]]</nowiki> in addition to the category defining the subject area.

== Headings ==

Make sure not to use a heading starting with <nowiki>=</nowiki> as this reserved for the title of the page. Headings should start with <nowiki>==</nowiki>. See the [http://www.mediawiki.org/wiki/Help:Formatting MediaWiki wiki syntax] page for more information.

== Commenting on pages ==

If you'd like to comment on pages, please click on "discussion" on the top of a page.

Main Page

2013-04-12T12:52:34Z

MartinMichlmayr: Update link to getting started page

The Software Package Data Exchange® (SPDX®) [http://spdx.org/content/spdx-specification specification] is a standard format for communicating the components, licenses and copyrights associated with a software package. This wiki site is the workspace for SPDX Teams. Please see [http://spdx.org spdx.org] for general information, the current specification, license list, etc.

* [[Getting started with the SPDX wiki]]
* [[General Meeting]]
* [[Business Team]]
* [[Legal Team]]
* [[Technical Team]]
* [[Old|Older Information]]

Getting started with the SPDX wiki

2013-04-12T12:50:38Z

MartinMichlmayr: MartinMichlmayr moved page Getting started to Getting started with the SPDX wiki: Better name

This is the wiki for the [http://spdx.org/ SPDX project]. Here is some information to help you get started.

== User registration and access ==

You need an account in order to make changes to this wiki. Because of spam concerns, we turned off account registration on this wiki. If you'd like to have an account, please send your prefered user name to wiki@spdx.org and we'll quickly create an account for you.

== Editing the wiki ==

The wiki uses MediaWiki. You can read about the [http://www.mediawiki.org/wiki/Help:Formatting wiki syntax] used by MediaWiki. We also provide a WYSIWYG (what you see is what you get) editor to make it easy to edit this wiki.

== Wiki conventions ==

There are certain conventions you should follow when editing this wiki, please see the page [[Wiki Conventions|wiki conventions]].

== Subscribing to pages ==

If you have an account on this wiki, you can follow certain pages in order to stay up to date with changes made to these pages. Simply click on "watch" at the top of a page in order to add it to your watch list.

You can choose to be informed about changes to pages on your wtch list by email. Go to [[Special:Preferences]], scroll down in the "User profile" tab, go to "E-mail options" and enable "E-mail me when a page or file on my watchlist is changed".

== Help and questions ==

If you need any help, please contact the [http://lists.spdx.org/mailman/listinfo/spdx SPDX mailing list]. If you want to contact the admin of this wiki, email wiki@spdx.org

Getting started

2013-04-12T12:50:38Z

MartinMichlmayr: MartinMichlmayr moved page Getting started to Getting started with the SPDX wiki: Better name

#REDIRECT [[Getting started with the SPDX wiki]]

Legal Team

2013-04-12T08:46:36Z

MartinMichlmayr: Reverted edits by Lfadmin (talk) to last revision by MartinMichlmayr

This is the working area for the Legal Team. The SPDX Legal Team supports and provides recommendations to the SPDX working groups regarding licensing issues for the specification itself; maintains the [http://spdx.org/licenses/ SPDX License List]; and promotes the SPDX specification to the legal community at-large.

The Legal Team meets every other Thursday at 18:00 GMT (10:00AM PT, 11:00 MT, 12:00 CT, 1:00PM ET).
Dial-in number: 1.866.740.1260 (US Toll-free) or 1.303.248.0285 (International)
Conference code: 2404545

* [[Legal_Team/Priorities|Current Priorities and Work in Progress for the Legal Team]]
* [[Legal_Team/Minutes|Meeting Minutes of the Legal Team]]
* [[Legal_Team/Decisions|Decisions of the Legal Team]]
* [[Legal_Team/Old|Older Items for the Legal Team]]

[[Category:Legal]]

Legal Team/Minutes/2013-04-11

2013-04-11T18:41:51Z

MartinMichlmayr: fix link

== Attendees ==
*Jilayne Lovejoy, OpenLogic
*Tom Incorvia, Incorvia
*Dennis Clark, NexB
*Jack Manbeck, TI
*Zac White, Entente
*Paul Madick, HP
*Phil Odence, Black Duck
*Tom Vidal, Abrams Garfinkel Margolis Bergson

== New site and wiki is up!!! ==

== Public Domain explanation page ==
see http://wiki.spdx.org/view/Legal_Team/Decisions/Dealing_with_Public_Domain_within_SPDX_Files_(DRAFT)
updated to reflect Jason Buttara's excellent revisions and one small edit by Jilayne in last paragraph. All on call agreed it looked good, so will be considered done once updated with proper links and reference to spec

== Approve final text for SPDX License List Overview page: ==
please see draft here: http://wiki.spdx.org/view/Legal_Team/License_List/Overview_and_License_Inclusion_Guidelines_(draft_for_review)
*call for comments/feedback on the general list and meeting last week resulted in only a few tweaks as follows:
**Somewhere early on, probably in the background, we should make a parenthetical statement to the effect that the standard is able to handle any license, it doesn't have to be on the list. It's just more convenient if it is.
*** all on call agreed, sentence to this effect added to end of second paragraph
**whack the para that starts "Although SPDX…" Seems to me the next para handles the issue.
*** all on call agreed that having this paragraph was helpful and cutting it didn't save that much space, so left it in
**This seems too strong: "Because the present focus of SPDX is the collection and presentation of the open-source software licenses contained in a software package, any license that is a candidate for inclusion on the SPDX License List must be an "open source" license. maybe: "…must have the attributes of an OSS license" or "…must be OSS-like…" or "…must be characterized as an…"
***changed to "must have the attributes of an open source license"
***changes will be made, page posted on official site and the draft page on the wiki will go away

== license list issues that came up as Jilayne went to update and release v1.18: ==

: A) license list language issue (all licenses on list are in native language with links to other official translations. License for which this is an issue are "Cecill, EUPL. and now, the German Public License
:*discussed that this dovetails with license matching guidelines - should official translations be considered equivalent and hence only need one short identifier for the license or should we have each translation as a separately listed license with it's own short identifier?
:*have there been any claims or issues related to translations? not that anyone knows of...
:**decided to leave as is, that is with license text included for native language and links to official translations in the note field. therefore for German Public License, will use the German full name and text for purposes of the License List; slight update to license overview description of fields to make sure this is explained there
:*** good issue to add to list for license matching guidelines discussion next week at Collab Summit
:B) MITRE Collaborative Virtual Workspace License - had decided to add (old license that is OSI approved) but the license text itself includes its own 6 clauses plus the text of the GPL and the text of the MPL with a choice of either.
:*should license text for matching purposes only be the 6 clauses, as whatever license (GPL or MPL) is chosen would/should be indicated with the short identifier for those licenses?
:*talked through how this might work within an SPDX document, the SPDX License List, and the license matching guidelines...
:**decided in spirit of releasing v1.18 of the license list and not making a hurried decision on this topic, which could impact the way other similar licenses are dealt with, to leave license off list for now and also discuss issue at license matching guideline meeting next week.

[[Category:Legal|Minutes]]
[[Category:Minutes]]

Wiki Conventions

2013-04-11T10:38:27Z

MartinMichlmayr: Link to category page

This page describes conventions that should be followed on the SPDX wiki. You can also read the page on [[Getting started|getting started]].

== SubPages ==

This wiki uses subpages to provide a hierarchy. For example, the minutes for the business team are located under <code>Business Team/Minutes</code>.

When you add a new page, please make sure to use the correct hierarchy. If you want to create a new business related page, choose <code>Business Team/name of page</code> If you'd like to add new business minutes, add them as <code>Business Team/Minutes/YYYY-MM-DD</code>

== Categories ==

We use [[Special:Categories|categories]] to organize pages. You should add one of these categories at the bottom of each new page:
* <nowiki>[[Category:Business]]</nowiki>
* <nowiki>[[Category:General]]</nowiki>
* <nowiki>[[Category:Legal]]</nowiki>
* <nowiki>[[Category:Technical]]</nowiki>

== Adding minutes ==

The list of minutes is updated automatically but this requires minutes to be added in the right location. Please use <code>XXX Team/Minutes/YYYY-MM-DD</code> for new minutes.

Additionally, minutes should have the category <nowiki>[[Category:Minutes]]</nowiki> in addition to the category defining the subject area.

== Headings ==

Make sure not to use a heading starting with <nowiki>=</nowiki> as this reserved for the title of the page. Headings should start with <nowiki>==</nowiki>. See the [http://www.mediawiki.org/wiki/Help:Formatting MediaWiki wiki syntax] page for more information.

== Commenting on pages ==

If you'd like to comment on pages, please click on "discussion" on the top of a page.

Legal Team/Decisions/Inclusion Guidelines (Background)

2013-04-11T10:24:04Z

MartinMichlmayr: Convert to MediaWiki syntax

== Background ==

Work on the SPDX License List (SPDX-LL) began sometime in 2010. The first SPDX-LL had approximately one hundred licenses on it. The initial set of licenses was included based on informal discussion and consensus. Although various "guidelines" were identified in regards to which licenses to include or not during this time, formal guidelines were not recorded beyond the meeting minutes. We had to start somewhere, and the obvious was the easy beginning point. Decisions or guidelines that evolved out of discussion or by implication included the following:

* include commonly found open source licenses. Although discussion was not explicit in regards to how to define an "open source license," this was always an implicit guiding principle
* include all OSI approved licenses, both current and those approved but now deprecated. Rationale being that once OSI-approved, always OSI-approved and deprecated licenses still appear "in the wild"
* in regards to "public domain": public domain dedications (because, it cannot technically be a "license"...) that are commonly found, well-established, or associated with a commonly found packages will be included on the SPDX-LL (e.g., ANTLR, Sax, CC-0). However, the idea of having a "generic" identifier for something that it released into the public domain was rejected after some discussion. This would not be practical for a number of reasons:
*# the concept of public domain does not necessarily translate across jurisdictions and the conditions under which a work can be released to the public domain vary on an country-by-country basis. Thus, having a short identifier could potentially only introduce ambiguity as to what that short identifier precisely means (and ambiguity - at least insofar as it comes to accurately identifying a license - is not the goal)
*# where something is noted with a public domain dedication, it can be captured the same was as any (other) license. That is, if it is something is part of the SPDX License List, it will have a short identifier, full name and exact text match like the examples above, and if it is not on the SPDX License List, it can be captured the same way as any (other) license not on the list via a license reference.
* recognition that the need for a more formal process for requesting new licenses to be added to the SPDX-LL. Such a process was discussed in terms of an ideal goal and pragmatic approach for the current reality. A process that bridged the former, with more weight on the latter was implemented in April 2012.

== Current State ==

And that brings us to the waning days of 2012 when the need to make it clear and transparent to the world what criteria we are using to maintain this list in terms of determining when to "accept" or "reject" a request to add a license to the SPDX-LL became impossible to ignore. Repeated abbreviated discussions around the issue of "freeware" or open source-ish licenses came up on a multiple occasions and so discussion ensued and a first draft and one round of revisions were completed by December 2012.

== Goal ==

The goal here is to come up with a set of guiding principles for licenses to be added or not added to the SPDX-LL. This way, when a license request is submitted the guidelines can be referenced (instead of one-off rationales for each license, which is inefficient), thus providing some consistency and reliable expectations for what the SPDX-LL includes.

Please review the meeting minutes on the following dates for a summary of discussion thus far:

* initially brought up briefly (and in regards to Sun/Oracle licenses which are commonly found, but not really "open source" licenses) in mid-August 2012. We discussed briefly on a few calls, but tabled for a later date due to other priorities or pre-determined agenda items.
* Request for addition of FLora license [[Legal_Team/Minutes/2012-10-31]]
* [[Legal_Team/Minutes/2012-11-13]]
* subsequent email discussion centered around the need for the guidelines to also comment on the addition of such things as public domain dedications or other notices that do not, per se, constitute a "license" but may otherwise fit the existing/initial criteria (commonly found/common package)

Also see the attached document below for the second draft, which includes some comments and track changes.

Additional discussion has been ongoing via the mailing list at legal at spdx.org. Alternatively, you can comment on this page below.

[[Category:Legal]]

Legal Team/Current Projects and Issues

2013-04-11T10:22:04Z

MartinMichlmayr: Fix broken link

LAST UPDATED: 17 Jan 2013

'''1) License List'''

'''1A) Licenses to add? ''(Kirstin Newcomer to track progress and lead; GROUP to make decisions; may need to delegate research on particular licenses to others - ongoing, check in on this each call)'''''

# "old" MIT? see http://blog.gmane.org/gmane.comp.licenses.spdx.legal/day=20121201
# FLORA License - decided not to add at this point in time, pending guidelines mentioned in #3 below. see http://blog.gmane.org/gmane.comp.licenses.spdx.legal/month=20121101 for most recent thread on the topic
# Unlicense - see thread here: http://search.gmane.org/?query=unlicense&group=gmane.comp.licenses.spdx.legal
# add US Gov't works - add short identifier to list; see email from David Wheeler
# add in Notes field for all GNU licenses that short identifier "GPL-2.0" = GPL v2 only and vice versa - more discussion on this?

'''1B) OSI outstanding issues: ''(Jilayne - goal to have these resolved by end of June or next rev of SPDX-LL)'''''

# Artistic license issue
# futher clarification on a few previous issues (were APSL-1.0, APSL-1.1, and GPL-2.0 ever approved?)
# zlib/ libpng license clarification
# Jabber Open Source License v1.0 -
# Jabber Open Source License v1.0 – decided to add and in doing so noticed the archived text here (http://archive.jabber.org/core/JOSL.pdf) is not the same as the OSI has on their site (it was OSI approved). What do we do about this? (see attached .doc file for comparison. text says "draft" at bottom... decided because it's an old license to hold off and not add to list yet - and resolve with OSI (with goal of having on list b/c it was OSI approved and we endeavored to have all OSI licenses on SPDX list, even if old). license text also can be found at: http://code.google.com/p/jabber-net/wiki/FAQ_License

'''1C) GPL exceptions: ''(Tom Vidal - goal to have this reasonably done by end of June)'' ''' We don't have them all and there are also the issue of inconsistencies "in the wild" among named exceptions and actual text (i.e. not all exceptions found called Foo exception have the exact same text; how do we deal with this?)

'''1D) Better system for saving/updating SPDX License List ''(Jilayne to coordinate with Gary - goal to have this done by end of February)'' ''' Currently the SPDX-LL is kept and updated by Jilayne. This is not an optimal system (hit by a bus factor not accounted for). Need to change to some kind of respository that tracks changes and can be viewed by all (But not edited by all).

'''2) Community outreach and list coordination:'''Goal of coordinating with various other license lists to make sure SPDX has licenses from these lists and check short name matching (or create "translation" document if different)

'''2A) Fedora license list ''(Paul Madick - goal for first pass by end of first quarter?? TBD, Paul to report on timing next call)''''' will need to check lists for discrepancies, i.e. are there licenses on Fedora list that are not on SPDX-LL and if so, decide to add; also need to create short-name matching matrix due to Fedora using different type of categorization for its short names. Coordinate and communicate with Tom Calloway throughout.

'''2B) Fossology (''ASSIGN)''''' coordinate with Bob Gobeille, see http://www.fossology.org/projects/fossology/wiki/MatchSPDXLicenceIDs

'''2C) Gentoo - ''(ASSIGN)'''''

'''2D) Suse ''(ASSIGN)''''' list found here: https://docs.google.com/spreadsheet/pub?key=0AqPp4y2wyQsbdGQ1V3pRRDg5NEpGVWpubzdRZ0tjUWc (courtesy of Ciaran Farrell from 6/27/12 email list thread)

'''2E) FSF license list match-up''' from http://www.gnu.org/licenses/license-list.html. completed for v1.17. any outstanding license questions were added to #1(A)

'''3) General guidelines for what licenses are included on the SPDX License List ''(Tom Vidal - conclude by end of March)''''' General statement or guidelines needed in regards to the types of license that are to be included on the SPDX-LL; in particular in regards to requests fo r adding a new license. e.g., only open source licenses? what about freeware licenses? see meeting minutes from 31-Oct and 13-Nov for background and discussion thus far. draft of guidelines began by Tom Vidal see [[Legal_Team/License_List/Inclusion_Guidelines_(Background)]] for overview of issue and latest revision - To Be Continued with larger group

'''3A) Also review process for requesting a new license''' once above is done to see if anything should be updated as we refine the process, etc.

'''4) License Match Guidelines ''(GROUP - needs an owner and would like to make a priority)''''' not enough people on 6/27 legal call for quorum/to complete; see meeting minute for 6/27 and several prior meetings. Matching guidelines updated as of 6/27, see [[Legal_Team/License_List/License_Matching_Guidelines]]

'''5) Website updates ''(Jilayne - time frame TBD)'''''

# add page for explaining public domain discussion
# update page re: change of "data license" from PddL to MIT
# add page to wiki that outlines progress regarding varioud license list coordination (OSI, FSF, Fedora, etc.) we have or have yet to coordinate with
# other past decisions further explained?

'''6) Formatting and "master list" for License List (i.e. actual license text files) ''(Phil)''''' Currently the "master" consists of spreadsheet with list + individual .txt files for license text field = downloadable zip file. This is then converted into html pages for website. Peter, Gary, and Jilayne have had initial discussion on this issue; to be discussed further with more fleshed out proposal

PROPOSAL: License text files formatted in HTML instead of .txt files as default; can convert from there into text file with tool if people want that too; Option to use HTML to indicate some of matching rules?

'''7) Recommendations or guidance on how to best determine license for a particular file''' how to identify the license for an open source project - ex. Within the file versus whether there's a copying file on top of the directory ? provide guidance/suggstion (industry practice?) that license in the file is more determinate than the license in the directoryShould the legal group aggregate industry best practices and come up with a group of guidelines and provide some influence on that?

[[Category:Legal]]

General Meeting/SPDX Web Site Cleanup

2013-04-11T09:53:02Z

MartinMichlmayr: Link to talk page

The following table lists the curret issues/improvments that need to be made to the SPDX website following our conversion thiis past month from the old site to the new one.

The list was intiially populated by Jack Manbeck but feel free to add to or modify the contents. Note: I found it a little challenging to add a table to the wiki and to be able to format it. I ended up restorting to HTML. This may make it challangeing for some to add items. If thats the case, please feel free to post to the list and I can make the appopriate changes or add a line after the table stating who you are and what your feedback is.

The Assigned To and Status fields will be taken care of by the web revamp team.

{| style="width: 637px" border="1"
| style="width: 40px" valign="top" |
'''Item'''
| style="width: 315px" valign="top" |
'''Description'''
| style="width: 95px" valign="top" |
'''Source'''
| style="width: 95px" valign="top" |
'''Assigned To'''
| style="width: 110px" valign="top" |
'''Status'''
|-
| style="width: 40px" valign="top" |
1
| style="width: 315px" valign="top" |
I noticed that the link on the home page for spdx-tech lower right under roles and responsibilities goes to a basically empty page (http://spdx.org/content/technical-0) . I’m not sure if the page just needs to be filled in or if it should link to http://spdx.org/wiki/spdx/spec-development
| style="width: 95px" valign="top" |
Gary
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| style="width: 40px" valign="top" |
2
| style="width: 315px" valign="top" |
Raise up SPDX License List on the menu hierarchy
| style="width: 95px" valign="top" |
Jilayne
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| style="width: 40px" valign="top" |
3
| style="width: 315px" valign="top" |
SPDX Tech Page Comments
* Add Bug Tracking page. Seperate for spec and tools. Have anonymous qeuries.
* Need a page added for the current spec so we can park the use case indfo. Maybe move to the spec area?
| style="width: 95px" valign="top" |
Tech team Review
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| style="width: 40px" valign="top" |
4
| style="width: 315px" valign="top" |
Under http://spdx.org/about-spdx it says: "This site is the home for everything SPDX and is the workspace for SPDX Groups." I think this should be rephrased to: "This site is the home for everything SPDX and is the workspace for the SPDX sub-groups (Legal, Technical and Business)." On that same page, sometimes we call it "SPDX Standard" and then "SPDX Specification". Are these used interchangeably? It's unclear.
| style="width: 95px" valign="top" |
Ibrahim
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| style="width: 40px" valign="top" |
5
| style="width: 315px" valign="top" |
I think this paragraph can use some rephrasing: Original: "The SPDX specification is developed by the SPDX workgroup, which is hosted by the Linux Foundation. The grass-roots effort includes representatives from more than 20 organizations—software, systems and tool vendors, foundations and systems integrators—all committed to creating a standard for software package data exchange formats." Suggested: "The SPDX project is hosted at the Linux Foundation that provides a neutral environment for collaboration. The SPDX standard is developed by the participants of the project which include representatives from more than 20 organizations—software, systems and tool vendors, open source foundations and systems integrators. The SPDX participants are committed to creating a standard for software package data exchange formats."
| style="width: 95px" valign="top" |
Ibrahim
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| style="width: 40px" valign="top" |
6
| style="width: 315px" valign="top" |
Term-wise: SPDX is a Working Group of the Linux Foundation. It's Technical, Business and Legal teams are considered sub-groups. This needs to be updated through out the pages. For instance, the blue box "PARTICIPATE - Join a Working Group" need to be changed to something like "PARTICIPATE - Join a Task Force" or "PARTICIPATE - Join a Working Sub-Group" or something of that sort. (Update) I later read also that these are called teams. This needs to be updated to be consistent.
| style="width: 95px" valign="top" |
Ibrahim
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| style="width: 40px" valign="top" |
7
| style="width: 315px" valign="top" |
Under http://spdx.org/about-spdx/background you jump to this page from: http://spdx.org/about-spdx
| style="width: 95px" valign="top" |
Ibrahim
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| style="width: 40px" valign="top" |
8
| style="width: 315px" valign="top" |
The background is repetitive from the first landing page and thats fine. I think there is no need to force new page jump again for the user to see new content. I suggest moving the text from History and "Vision, Strategy and Execution" to http://spdx.org/about-spdx/background. Currently they have their own URLs.
| style="width: 95px" valign="top" |
Ibrahim
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| style="width: 40px" valign="top" |
9
| style="width: 315px" valign="top" |
Under http://spdx.org/content/tutorials Aesthetics aside, is it possible to provide a 1-2 lines description of what the paper, webinar and spec are? For an example, visit http://www.linuxfoundation.org/publications/workgroup and scroll towards the end where we feature the SPDX paper.

The SPDX video is hosted on BlackDuck site. I think this should live under spdx.org. You can get a youtube or vimeo account for spdx and host videos there and embed them on the spdx.org site.

If I click on "Read the Spec" blue box I get transfered to http://www.linuxfoundation.org/publications/workgroup. This is not a tutorial. On that new URL, there is also a mention of License List. For new reader, this is first mention. I think you may need some basic description. It feel that the site keeps throwing users from one page to another.
| style="width: 95px" valign="top" |
Ibrahim
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| style="width: 40px" valign="top" |
10
| style="width: 315px" valign="top" |
UNDER http://spdx.org/content/how-participate How to participate? I think this pages requires an overhall in terms of reorganizing the material, 1) I could not find anything at all about the project governance. How decisions are made? by whom? who drives the project? how roadmap items get decided? who does the work? is participation tied to providing resources? how to become a chair in a sub-workgroup? how to be a chair of SPDX? etc etc. 2) Participation seems to be treated differently than Contributing. This is related to item 1) above - governance. 3) It feels as if this is treated as an open source project. I may be wrong. However, in all of the similar efforts I participated in for the past 12 years (at OSDL and other efforts at the LF), a standard similar to SPDX has usually two branches: the specs itself driven by committed companies who want to move the standard and get it adopted and use it, and the reference implementation which is open to anyone and everyone to participate in. Is this something you considered? 4) Also under this page, it mentions the 3 sub-groups with links to the page of each of them. The pages for all 3 sub-groups are formatted in a different way with different set of info presented. (Update) Later on I discovered new pages that discuss what the teams do (totally random). http://spdx.org/content/business and http://spdx.org/content/legal and http://spdx.org/content/technical.
| style="width: 95px" valign="top" |
Ibrahim
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| style="width: 40px" valign="top" |
11
| style="width: 315px" valign="top" |
Lots of empty pages. As examples, Roles and Responsibilities" page is empty: http://spdx.org/content/roles-responsibilities, Archive Specifications" page ie empty http://spdx.org/content/archive-specifications "White Papers" page is empty http://spdx.org/content/white-papers "Working Group Roster" page is empty http://www.spdx.org/content/working-group-roster "SPDX Users" page is empty http://www.spdx.org/content/spdx-users
| style="width: 95px" valign="top" |
Ibrahim
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| style="width: 40px" valign="top" |
12
| style="width: 315px" valign="top" | I am not sure if I covered all pages.. In any case, generally speaking, the site needs updates on its: - Structure / Brows-ability / Usability - Updating text / content - Updating menu items - Consistency in terminology - Removing dead pages and consolidating existing pages - Formatting text on pages - Page divisions and linkages between pages - Governance information is either absent or I could not find it - Roadmap information is either absent or I could not find it ( Priorities page is empty http://spdx.org/content/current-priorities-work-progress-2)
| style="width: 95px" valign="top" |
Ibrahim
| style="width: 95px" valign="top" |

| style="width: 110px" valign="top" |

|-
| 13
| The Collateral material here need to be cleaned up and a final version published (incl new pdf file): http://spdx.org/documentation/beta-collateral What's "Email blurb for recruiting beta sites" at the top of that page? Another collateral page: http://spdx.org/content/spdx-launch-collateral - maybe merge with http://spdx.org/documentation/beta-collateral?
| Ibrahim
|
|
|-
| 14
| Are the contacts still valid? http://spdx.org/about/spdx/contact
| Ibrahim
|
|
|-
| 15
| Add self subsubscribing pages for membership
| Jack
|
|
|-
| 16
| Workgroups are posting meeting info on their main page and under the menu item for meeting calnedar and access. Propose to only put under the meeting calendar and access page. Its a little confusing in two places and often the text is not the same.
| Jack
|
|
|-
| 17
| Add new mission and vision to the site
| Jack
|
|
|-
| 18
| Add links to tools that support SPDX (perhaps on the tools page that is empty?)
| Jack
|
|
|-
| 19
| The Roles and reponsibilities pages are empty. Should move that info from the sub team pages to here.
| Jack
|
|
|-
| 20
| Add an overall meeting calendar for the year and dates for F2F meetings (can link out to wiki for agendas)
| Jack/Steve
|
|
|-
| 21
| We should use generic SPDX email names instead of personal ones on the site for people (people move on, etc).
| Business Team
|
|

|}

If you find it difficult to add a new line you can also [[Talk:General_Meeting/SPDX_Web_Site_Cleanup|comment here]].

[[Category:General]]
[[Category:Archived]]

Legal Team/Decisions/SPDX Metadata License: Rationale for CC0

2013-04-11T09:21:14Z

MartinMichlmayr: Fix format of bullet points

== Overview ==

SPDX files represent a summary of license information extracted from software source code. The SPDX Legal working group evaluated different licenses that can be used to cover the data contained in a SPDX file. One challenge was that the working group did not want to imply that the data contained in a SPDX file is potentially copyright protected. On the other hand, in some jurisdictions, data could be considered intellectual property. In those jurisdictions the working group stride to provide a license that mitigates the risk of someone obtaining controlling IP rights over SPDX data. The following were the core requirements driving the license evaluation process. We sought a license that:

* does not imply that SPDX data is intellectual property;
* in jurisdictions that permit data to be intellectual property - prevents others from claiming controlling ownership over the data contained in a SPDX file;
* will not hinder adoption of the SPDX format by the open source community;
* minimizes further license proliferation in the open source community;
* permits the exchange of SPDX files under confidentiality terms (potentially temporarily) for special situations that may require it.

After careful consideration the Creative Commons Zero 1.0 Universal license was chosen. The rationale for each of the license candidates considered can be found below.

== License Candidates ==

'''Public Domain Dedication and License (PDDL)'''

PDDL is the current designated license for SPDX files as required by the SPDX 1.0 specification. PDDL was initially chosen because it was a “data” license. That is, it was initially design to be used with data as opposed to software or other copyrightable works. The reception of PDDL as the SPDX file data license has been mixed and somewhat controversial at times. A copy of the PDDL license can be found here: http://opendatacommons.org/licenses/pddl/1.0/

* Pros
** Designed for licensing data.
** Useful in jurisdictions where intellectual property rights are granted to data (bases).
** Attempts to make data freely accessible (in a similar spirit that open source licenses do for software).
** Permits the exchange of SPDX files under confidentiality terms.

* Cons
** Lengthy license (6 pages) – will take time for people to review and understand.
** Yet another new license for open source community to review, understand and accept. Would likely add friction to SPDX adoption.
** A major open source foundation pointed out it would be hard to get PDDL approved by their organization as well as other foundations. This is especially true when considering a license that is not familiar to the community (as is the case with PDDL).
** Use of the license implies that SPDX data is copyright protected.

'''MIT Style SPDX Draft'''

The license text is based on the MIT open source license. A copy of the MIT Style license draft can be found in the appendix of this document.''''''

* Pros
** Viewed more as a disclaimer notice than a data license. The intent is to view the SPDX file content as data as opposed to protected intellectual property.
** Serves more as a license in jurisdictions where data is considered protectable intellectual property.
** The license text is short and easy to understand.
** The license is familiar to the open source community and would likely not add much friction to the adoption of SPDX.
** Permits the exchange of SPDX files under confidentiality terms
* Cons
** The license is based on the MIT open source license which was designed to be used with software as opposed to data.
** Requires attribution. Many different SPDX files used in a project or supply chain may potentially require the publication of many different attribution notices.

'''CC0 1.0 - Universal Public Domain Dedication license '''

Creative Commons (CC) is a non-profit organization devoted to expanding the range of creative works available for others to build upon legally and to share. The organization has released several copyright-licenses known as “Creative Commons” licenses, free of charge to the public. One such license is the CC0 1.0 which allows one to contribute their work to the public domain. A copy of the CC0 1.0 license can be found here: http://creativecommons.org/publicdomain/zero/1.0/

* Pros
** License text is short and easy to understand.
** License is familiar to the open source community and therefore would likely not to add significant friction to the adoption of SPDX.
** Achieves object of having the data be considered public domain in those jurisdictions where data can be protected as intellectual property.
** Permits the exchange of SPDX files under confidentiality terms.
* Cons
** License was not designed to be used with data.
** Use of the license implies that SPDX data is copyright protected.

'''No License Provided'''

One option is to take the position that no license applies.

* Pros
** Easy to understand. Does not add friction to adoption of SPDX.
** Promotes the idea that the SPDX data is not intellectual property (e.g., not copyrightable).
** Permits the exchange of SPDX files under confidentiality terms.
* Cons
** Does not prevent one from trying to obtain controlling rights in jurisdictions where data is potentially considered intellectual property.

[[Category:Legal]]

MediaWiki:Sidebar

2013-04-11T07:19:51Z

MartinMichlmayr: Undo revision 2372 by Lfadmin (talk)

User:MartinMichlmayr

2013-04-10T22:50:53Z

MartinMichlmayr: Created page with "I am Martin Michlmayr. You can find out more about me on [http://www.cyrius.com my home page]."

I am Martin Michlmayr. You can find out more about me on [http://www.cyrius.com my home page].

Main Page

2013-04-10T22:30:49Z

MartinMichlmayr: Link to getting started

The Software Package Data Exchange® (SPDX®) [http://spdx.org/content/spdx-specification specification] is a standard format for communicating the components, licenses and copyrights associated with a software package. This wiki site is the workspace for SPDX Teams. Please see [http://spdx.org spdx.org] for general information, the current specification, license list, etc.

* [[Getting started]]
* [[General Meeting]]
* [[Business Team]]
* [[Legal Team]]
* [[Technical Team]]
* [[Old|Older Information]]

Technical Team/Use Cases/2.0/Graveyard

2013-04-10T18:42:10Z

MartinMichlmayr: Convert to MediaWiki syntax

We had several sources to begin pulling for SPDX Use Cases:

# The Pad from earlier conversations collected at [[Technical_Team/Old/Use_Cases_Collected_during_1.x_timeframe|Use Cases For SPDX 2.0 Discussion]]
# The old [[Technical_Team/Old/Sandbox_for_Sharing_Examples/SPDX_Use_Case_1|SPDX 1.0 Use Cases]] as well as the [[:File:ecosystem.jpg|SDPX 1.0 Use Case Picture]].
# Soliciting use cases in 2012 (especially at Linux Collab Summit in April)

'''NOTE''': On May 29, 2012, we removed use cases which were not yet fleshed out. A snapshot of 'all' the use cases was saved in child page SPDX 2.0 Use Cases Graveyard. The process followed was to flesh out use cases here by having a brief summary listed here as a link to a more detailed child page. Note, these use cases should be *'''doable'''* but in general not *'''required'''*. Any item listed here that is not a link, should have a child page created for it.

# Code commits (original work intended for the project)
## [[Technical_Team/Use_Cases/2.0/Committers_provides_SPDX_data_for_a_code_being_committed|Committer provides SPDX data]]
## [[Technical_Team/Use_Cases/2.0/Contributor_makes_commit_subject_to_existing_SPDX_data_of_project|Contributor makes commit subject to existing SPDX data of project]]
## Contributor makes commit subject to existing SPDX data of a dual licensed project and selects one license
# [[Technical_Team/Use_Cases/2.0/Committer_annotates_source_files_with_SPDX_data|Committer annotates source files with SPDX data]]
# Patches (original work intended for the project)
## [[Technical_Team/Use_Cases/2.0/Patch_provider_provides_SPDX_data_for_the_patch|Patch provider provides SPDX data for the patch]]
## [[Technical_Team/Use_Cases/2.0/Patch_provider_provides_SPDX_data_for_the_patch_indicating_it_is_licensed_however_the_hell_its_applied|Patch provider provides SPDX data for the patch indicating it is licensed however the hell its applied]]
## [[Technical_Team/Use_Cases/2.0/Patch_provider_provides_patch_subject_to_existing_SPDX_data_of_project|Patch provider provides patch subject to existing SPDX data of project]]
# Patch provider provides a patch that modifies existing SPDX data of project
## [[Technical_Team/Use_Cases/2.0/Downstream_consumers_contributing_patches_to_provide_SPDX_data_to_an_upstream_that_doesnt_have_it|Downstream consumers contributing patches to provide SPDX data to an upstream that doesn't have it.]]
## [[Technical_Team/Use_Cases/2.0/Downstream_consumers_contributing_patches_to_provide_corrections_to_SPDX_data_for_an_upstream_that_does_have_it|Downstream consumers contributing patches to provide corrections to SPDX data for an upstream that does have it.]]
# [[Technical_Team/Use_Cases/2.0/Upstream_maintainer_providing_SPDX_data|Upstream maintainer providing SPDX data]]
## [[Technical_Team/Use_Cases/2.0/Upstream_maintainer_providing_SPDX_data_in_source_archive|Upstream maintainer providing SPDX data in source archive]]
## [[Technical_Team/Use_Cases/2.0/Upstream_maintainer_providing_SPDX_data_in_SCM|Upstream maintainer providing SPDX data in SCM]]
## [[Technical_Team/Use_Cases/2.0/Upstream_maintainer_providing_SPDX_data_at_a_URL|Upstream maintainer providing SPDX data at a URL]]
## [[Technical_Team/Use_Cases/2.0/Downstream_consumers_contributing_patches_to_provide_SPDX_data_to_an_upstream_that_doesnt_have_it|Upstream maintainer preparing release artifacts (including SPDX data).]]
## Intended usage communicated by the auditee (how/will the audited item get included in delivered/deployed bits) [Bill Schineller]]
# Project maintainer incorporates another project
## [[Technical_Team/Use_Cases/2.0/Project_maintainer_incorporates_another_project_by_including_source|Project maintainer incorporates another project by including source]]
## [[Technical_Team/Use_Cases/2.0/Project_maintainer_incorporates_another_project_by_including_binary|Project maintainer incorporates another project by including binary]]
## [[Technical_Team/Use_Cases/2.0/Project_maintainer_pulling_individual_files_out_of_another_project_(subsetting)|Project maintainer pulling individual files out of another project (subsetting)]]
# Project maintainer incorporates another copyrightable artifact by reference (think maven, possibly linking cases)
## by static reference (the referenced library is included with a redistribution)
## by dynamic reference (express runtime dependency on the external library, but not redistributing it)
## Maven case
# SPDX-Lite:
## [[Technical_Team/Use_Cases/2.0/Low_cost_SPDX_file|Allow a low investment SPDX producer to produce valid SPDX data]]
## [[Technical_Team/Use_Cases/2.0/Producing_valid_SPDX_files_in_the_face_of_missing_data|Produce a valid SPDX dataset even if some data is missing]]
# Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data
## Intermediate packager builds source package from upstream source
### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_builds_source_package_from_upstream_source_that_provides_SPDX_data|Intermediate packager builds source package from upstream source that provides SPDX data]]
### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_builds_source_package_from_upstream_source_that_does_not_provide_SPDX_data|Intermediate packager builds source package from upstream source that does not provide SPDX data]]
## Intermediate packager builds binary package from upstream source
### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_builds_binary_package_from_upstream_source_that_provides_SPDX_data|Intermediate packager builds binary package from upstream source that provides SPDX data]]
### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_builds_binary_package_from_upstream_source_that_does_not_provides_SPDX_data|Intermediate packager builds binary package from upstream source that does not provides SPDX data]]
## Intermediate packager adds patches to upstream source
### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_adds_patches_to_upstream_source_that_provides_SPDX_data|Intermediate packager adds patches to upstream source that provides SPDX data]]
### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_adds_patches_to_upstream_source_that_does_not_provide_SPDX_data|Intermediate packager adds patches to upstream source that does not provide SPDX data]]
## Intermediate packager adds someone else's patches to upstream source
### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_adds_someone_elses_patches_to_upstream_source_that_provides_SPDX_data|Intermediate packager adds someone else's patches to upstream source that provides SPDX data]]
### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_adds_someone_elses_patches_to_upstream_source_that_does_not_provide_SPDX_data|Intermediate packager adds someone else's patches to upstream source that does not provide SPDX data]]
## Intermediate packager subsetting upstream source
### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_subsetting_upstream_source_that_provides_SPDX_data|Intermediate packager subsetting upstream source that provides SPDX data]]
### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_subsetting_upstream_source_that_does_not_provide_SPDX_data|Intermediate packager subsetting upstream source that does not provide SPDX data]]
## Intermediate packager chooses to distribute one of multiple available under licenses provided for by upstream (check with legal team)
## Intermediate packager reviews SPDX data provided by upstream.
# Build systems (build systems want to pass on SPDX data for the thing they are building)
## [[Technical_Team/Use_Cases/2.0/Build_System_Yocto|Yocto]]
### How does SPDX work in an environment where the sources aren't there, but are pulled from git or a mirror and patched.
## Maven [Brian Fox]
### Rolling into release artifacts things only referenced in the POM file
### Shading (subsetting) portions of a transitive dependency for inclusion in your artifact
## Continuous integration around SPDX files (fixing SPDX files for commits coming in etc).
## Linking
### [[Technical_Team/Use_Cases/2.0/Debian_has_an_interest_in_only_building_things_that_are_linking_license_compatible|Debian has an interest in only building things that are linking license compatible]]
#### If a tool is consuming SPDX data to interact with heuristics.
## Java complications [Richard Fontana]]
### What to do about installers that download JDK directly from sun.
## I just made a binary out of some source
### [[Technical_Team/Use_Cases/2.0/SPDX_data_indicating_subset_of_the_source_that_made_it_into_a_particular_binary_or_binary_package|SPDX data indicating subset of the source that made it into a particular binary or binary package]]
## Tool used to produce software infecting distribution license of the software itself [Kevin Fleming] (e.g. code-generator? Bison? ..)
# Aggregator aggregating many 'copyrightable items' for redistribution
## [[Technical_Team/Use_Cases/2.0/Linux_Distros|Linux Distros]]
## [[Technical_Team/Use_Cases/2.0/Embedded_Images_(e.g._router_images,_switch_images)|Embedded Images (e.g. router images, switch images)]]
## SDKs [Jack Manbeck]
## [[Technical_Team/Use_Cases/2.0/Reference_Implementations|Reference implementations] [Jack Manbeck]
## Eclipse/OSGI distributions
## [[Technical_Team/Use_Cases/2.0/Application_which_ships_with_documentation_and_media_and_software|Application which ships with documentation + media + software]] [Jack Manbeck]
## [[Technical_Team/Use_Cases/2.0/Application_which_ships_with_a_contrib_libraries|Application which ships with a contrib libraries]]
## [[Technical_Team/Use_Cases/2.0/Application_which_ships_with_development_tools|Application which ships with development tools]]
## Receiving what appears to be commercial software but that commercial software contains Open Source
## Receiving what appears to be opensource software but that opensource software contains commercial software
## [[Technical_Team/Use_Cases/2.0/Subsetting_out_only_the_shippable_bits_of_stuff_coming_from_an_SDK|Subsetting out only the shippable bits of stuff coming from an SDK]]
## [[Technical_Team/Use_Cases/2.0/Aggregators_aggregating_other_aggregations_for_redistribution|Aggregators aggregating other aggregations for redistribution]]
# Consumers receiving SPDX data
## Procurement needs to view it and review it
## Legal department needs to review
## Comply with licensing when there are multiple rights holders each with licensing use under a different license
## [[Technical_Team/Use_Cases/2.0/Provide_sufficient_data_to_allow_consumer_to_comply_with_licenses_on_redistribution|Provide sufficient data to allow consumer to comply with licenses on redistribution]]
## Bradley want to extract all rights holders for a particular file
## Multiple SPDX files you need to reconcile
## Recognizing the same SPDX data for the same code coming from multiple supply chain paths
## Flagging potential issues revealed by the SPDX
### License conflicts
### Listing out obligations
## Helping to meet the obligations of the licenses (Given that I receive an SPDX file, does the info in SPDX file allow me to extract what I need to meet basic kinds of obligations)
### How to capture attribution information for binaries
### Help with redistribution obligations
## Equivalence classes of binaries and tracking back to the same source and source SPDX data.
### Consider what to do about license metafiles
### COPYING files
### LICENSE.* files
### README.*
### Think about how to handle NOTICE files and Apache
# [[Technical_Team/Use_Cases/2.0/Consuming_code_snippets|Consuming code snippets]] (God help us all) (subfile pieces of code not originally intended for the project)
## Make sure that the license and copyright information for a snippet is reflected in the SPDX data for the file
## Track differently licensed snippets explicitly
## Handle the case where code is copied and pasted through online forums etc.
# Signoff/multiple signoff on SPDX data
## [[Technical_Team/Use_Cases/2.0/Contracts_with_multiple_parties_requiring_signoff_by_all|Contracts with multiple parties requiring signoff by all]] [Kate Stewart]
## Signing off on only a subset of the SPDX data (of an SPDX document in progress?)
# Third party does licensing analysis
## [[Technical_Team/Use_Cases/2.0/Third_party_produces_bill_of_materials_for_software_package|Third party generates license analysis]]
## Actual usage communicated
## Did the code that I shipped (the binaries) match the copyrightable items? i.e. be able to produce an SPDX file that applies to binary code
## [[Technical_Team/Use_Cases/2.0/Collecting_enough_information_to_allow_auditor_to_make_recommendations_to_remove_or_not_a_component|Collecting enough information to allow auditor to make recommendations to remove or not a component]]
## Tooling to assist with copyright (change copyright date and list of contributors/copyright holders, even as license and most of code remains unchanged) for changes between versions
## Unaffiliated third party provides SPDX data for a project
# Auditor Analyzing/Sanity-checking/correcting Bill of Material he's handed
## [[Technical_Team/Use_Cases/2.0/Backtrack_from_binary_to_source_files|Backtrack from compiled/binary file to constituent files]]
## outbound: validate that SPDX goes hand in hand with what's being shipped [Kirsten Newcomer]
### [[Technical_Team/Use_Cases/2.0/Check_to_see_if_the_SPDX_data_provided_matches_the_files_provided_and_is_trustworthy_and_most_current_for_package|Check to see if the SPDX data provided matches the files provided]]
### Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)
### Did the code that I shipped (the binaries) match the copyrightable items.
## inbound: validate that SPDX goes hand in hand with what's being brought in [Kirsten Newcomer]
### Chcek to see if the SPDX data matches the files you are shipping [Kirsten Newcomer]
### Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)
## SPDX lint
## Incomplete SPDX data you may need to complete
## Asserting corrections to SPDX data provided by others further upstream
# Migrating from one version of the SPDX spec to another (moving a file from SPDX 1.0 to 2.0 for example)
## e.g. knit together a bunch of 1.0 files into a 2.0...
# Extensions:
## [[Technical_Team/Use_Cases/2.0/Communicate_data_beyond_what_is_described_in_spec|Communicate data beyond what is described in spec between consenting parties w/o breaking consumers that are not in the know]]
## Experimental improvements to SDPX files w/o breaking consumers that are not in the know. [Peter Williams]
## [[Technical_Team/Use_Cases/2.0/License_list_extension|License list extensions, how do you handle folks who have more licenses than SPDX]]
## [[Technical_Team/Use_Cases/2.0/Decorating_an_already_produces_and_signed_SPDX_dataset_with_extension_data|Decorating an already produces and signed SPDX dataset with extension data]] [Bill Schineller]
## Recording per ExtractedLicenseText a comment detailing exactly which pattern matching technique / string found that Extracted License Text (so that SPDX file doesn't need to repeat in every matched File instance) [D. M. German]
## Recording free-form tribal knowledge about a file which is not otherwise visible in the text of the file itself (e.g. commit history from git repo, origin information such as scanning against a knowledge base of open source could provide) [Mark Gisi]
## Conveying Encryption content (Export Control implications) of a package/file in a package [someone at collab summit]
## Conveying Security Vulnerability information [Jianshen O.- Huawei]
# Look at a 'pingback' (URL string similar for blogs)kind of mechanism for original providers of SPDX (to allow them to figure out where it's used) [Andrew Hsu]
# Cloud
## Materializing a VM and making sure it's OK from a licensing mechanism
## SugarCRM case, obligation by virtue of using web service interface
# Legal Use Cases:
## Allow the NDA status of an SPDX document to be communicated in a machine readable way (not just a comment) for organizations that don't want the SPDX document to be publicly released [Mark Baushke from Juniper]
## How are we going to handle Public Domain (not in license list... region specific...)

==Cross-cutting concerns==

# Provenance (the need to optionally use signing to validate who said what)
# Trust
# Handling staleness of data
# Composite licensing
# Ease of sharing information
## Collecting tribal knowledge along the way
# Guarding against file bloat
# Simple simple simple
# SPDX-Lite:
# Clarity
# Automation/toolifiability
# Regionality

==Themes:==

Looking at these Use Cases, there are some underlying themes:

# Root of data (closer to upstream the better)
# Subsetting of copyrightable things (and their SPDX data) ('''Note''': Subsets of copyrightable things are usually also copyrightable things)
# Aggregation of copyrightable things (and their SPDX data) ('''Note''': Aggregations of copyrightable things are usually also copyrightable things).

[[Category:Technical]]
[[Category:Archived]]

MediaWiki:Licenses

2013-04-10T18:36:53Z

MartinMichlmayr: Add list of licenses

* Unknown|I don't know exactly
* Free licenses:
** PD|PD: public domain
** CC-by-sa-2.5|Creative Commons Attribution ShareAlike 2.5
** CC-by-sa-3.0|Creative Commons Attribution ShareAlike 3.0

Wiki Conventions

2013-04-10T16:57:59Z

MartinMichlmayr: Add wiki conventions for our new MediaWiki wiki

This page describes conventions that should be followed on the SPDX wiki. You can also read the page on [[Getting started|getting started]].

== SubPages ==

This wiki uses subpages to provide a hierarchy. For example, the minutes for the business team are located under <code>Business Team/Minutes</code>.

When you add a new page, please make sure to use the correct hierarchy. If you want to create a new business related page, choose <code>Business Team/name of page</code> If you'd like to add new business minutes, add them as <code>Business Team/Minutes/YYYY-MM-DD</code>

== Categories ==

We use categories to organize pages. You should add one of these categories at the bottom of each new page:
* <nowiki>[[Category:Business]]</nowiki>
* <nowiki>[[Category:General]]</nowiki>
* <nowiki>[[Category:Legal]]</nowiki>
* <nowiki>[[Category:Technical]]</nowiki>

== Adding minutes ==

The list of minutes is updated automatically but this requires minutes to be added in the right location. Please use <code>XXX Team/Minutes/YYYY-MM-DD</code> for new minutes.

Additionally, minutes should have the category <nowiki>[[Category:Minutes]]</nowiki> in addition to the category defining the subject area.

== Headings ==

Make sure not to use a heading starting with <nowiki>=</nowiki> as this reserved for the title of the page. Headings should start with <nowiki>==</nowiki>. See the [http://www.mediawiki.org/wiki/Help:Formatting MediaWiki wiki syntax] page for more information.

== Commenting on pages ==

If you'd like to comment on pages, please click on "discussion" on the top of a page.

Getting started with the SPDX wiki

2013-04-10T16:53:58Z

MartinMichlmayr: Create getting started document

Talk:General Meeting/SPDX Web Site Cleanup

2013-04-10T15:41:27Z