THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Difference between revisions of "Technical Team/Minutes/2013-03-19"

From SPDX Wiki
Jump to: navigation, search
 
(Convert to MediaWiki syntax)
 
Line 1: Line 1:
<p><span style="font-family: Times New Roman; font-size: medium;"> General Upates:</span></p><p><span style="font-family: Consolas; font-size: medium;">Jack requests we walk through the website / wiki next time</span></p><p><span style="font-family: Times New Roman; font-size: medium;"> K</span><span style="font-family: Consolas; font-size: medium;">ate wants to start a draft of SPDX 2.0 documentation</span></p><p><span style="font-family: Consolas; font-size: medium;">Kate mentions that the UNO folks felt need for a reviewer comment at every level (e.g. File Level, not just the Doc level)</span></p><p><span style="font-family: Times New Roman; font-size: medium;"> Modeling:</span></p><p><span style="font-family: Times New Roman; font-size: medium;">Next steps would be to do an instance diagram.</span></p><p><span style="font-family: Consolas; font-size: medium;">Kate suggests use case of Time 1.7 upstream getting consumed by Ubuntu who applies patches to it.&nbsp; </span><a href="http://archive.ubuntu.com/ubuntu/pool/main/t/time/"><span style="color: #0000ff; font-family: Consolas; font-size: medium;">http://archive.ubuntu.com/ubuntu/pool/main/t/time/</span></a></p><p>&nbsp;</p><p><span style="font-family: Consolas; font-size: medium;">Items for discussion about&nbsp;the updated model</span></p><p><span style="font-family: Consolas; font-size: medium;">Document Relationship:<span style="mso-spacerun: yes;">&nbsp; </span>the 'downstream' Document includes the relationship, and propose it carries the SHA-1 hash of the document it refers to.<span style="mso-spacerun: yes;">&nbsp; </span>And optionally the digitally signed hash...</span></p><p><span style="font-size: medium;"><span style="font-family: Consolas;">Specifier: let's get concrete about this...<span style="mso-spacerun: yes;">&nbsp; </span></span></span></p><p><span style="font-family: Consolas; font-size: medium;">Gary thinks Specifier is a pair of a URI plus some sort of checksum that can be used to validate what the URI refers to.</span></p><p><span style="font-family: Consolas; font-size: medium;">SPDXDoc can't have a Specifier inside itself.<span style="mso-spacerun: yes;">&nbsp; </span>But SPDXElements / SPDXPackage / could reference a specifier.</span></p><p><span style="font-family: Consolas; font-size: medium;">Bill points out that Ed's Adopted Proposal </span><a href="http://spdx.org/wiki/proposal-2012-mar-06-detached-signed-spdx-files"><span style="color: #0000ff; font-family: Consolas; font-size: medium;">http://spdx.org/wiki/proposal-2012-mar-06-detached-signed-spdx-files</span></a></p><p><span style="font-family: Consolas; font-size: medium;">indicates influence of Maven guys who do similar.</span></p><p><span style="font-family: Consolas; font-size: medium;">Perhaps our Spec / Best Practices can point to how we recommend people publish their public keys...</span></p><p><a href="https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven"><span style="color: #0000ff; font-family: Consolas; font-size: medium;">https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven</span></a></p><p>&nbsp;</p><p class="MsoPlainText" style="margin: 0in 0in 0pt;"><span style="font-family: Consolas; font-size: medium;">Here's an excerpt from that post talking about digital signatures:</span></p><p><span style="font-family: Consolas; font-size: medium;">-----------</span></p><p><span style="font-family: Consolas; font-size: medium;">Distribute Your Public Key</span></p><p><span style="font-family: Consolas; font-size: medium;">Since other people need your public key to verify your files, you have to distribute your public key to a key server:</span></p><p><span style="font-family: Consolas; font-size: medium;">$ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys C6EED57A Here I distributed my public key to hkp://pool.sks-keyservers.net, use<span style="mso-spacerun: yes;">&nbsp; </span>--keyserver along with a key server address, and use --send-keys along with a keyid. You can get your keyid by listing the public keys.</span></p><p><span style="font-family: Consolas; font-size: medium;">Note</span></p><p><span style="font-family: Consolas; font-size: medium;">Public keys are synced among key servers, but it may take a while.</span></p><p><span style="font-family: Consolas; font-size: medium;">Now other people can import your public key from the key server to their local machines:</span></p><p><span style="font-family: Consolas; font-size: medium;">$ gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys C6EED57A</span></p><p><span style="font-family: Consolas; font-size: medium;">-----------</span></p><p>&nbsp;</p>
+
== General Upates ==
 +
 
 +
Jack requests we walk through the website / wiki next time
 +
 
 +
Kate wants to start a draft of SPDX 2.0 documentation
 +
 
 +
Kate mentions that the UNO folks felt need for a reviewer comment at every level (e.g. File Level, not just the Doc level)
 +
 
 +
== Modeling ==
 +
 
 +
Next steps would be to do an instance diagram.
 +
 
 +
Kate suggests use case of Time 1.7 upstream getting consumed by Ubuntu who applies patches to it. http://archive.ubuntu.com/ubuntu/pool/main/t/time/
 +
 
 +
== Items for discussion about the updated model ==
 +
 
 +
Document Relationship: the 'downstream' Document includes the relationship, and propose it carries the SHA-1 hash of the document it refers to. And optionally the digitally signed hash...
 +
 
 +
Specifier: let's get concrete about this...
 +
 
 +
Gary thinks Specifier is a pair of a URI plus some sort of checksum that can be used to validate what the URI refers to.
 +
 
 +
SPDXDoc can't have a Specifier inside itself. But SPDXElements / SPDXPackage / could reference a specifier.
 +
 
 +
Bill points out that [[Technical_Team/Proposals/2012-06-06/Detached_Signed_SPDX_Files|Ed's Adopted Proposal]] indicates influence of Maven guys who do similar.
 +
 
 +
Perhaps our Spec / Best Practices can point to how we recommend people publish their public keys...
 +
 
 +
https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven
 +
 
 +
Here's an excerpt from that post talking about digital signatures:
 +
 
 +
''Distribute Your Public Key
 +
 
 +
Since other people need your public key to verify your files, you have to distribute your public key to a key server:
 +
 
 +
    $ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys C6EED57A
 +
Here I distributed my public key to hkp://pool.sks-keyservers.net, use --keyserver along with a key server address, and use --send-keys along with a keyid. You can get your keyid by listing the public keys.
 +
 
 +
Note
 +
 
 +
Public keys are synced among key servers, but it may take a while.
 +
 
 +
Now other people can import your public key from the key server to their local machines:
 +
 
 +
    $ gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys C6EED57A
 +
''
 +
 
 +
[[Category:Technical|Minutes]]
 +
[[Category:Minutes]]

Latest revision as of 11:07, 29 March 2013

General Upates

Jack requests we walk through the website / wiki next time

Kate wants to start a draft of SPDX 2.0 documentation

Kate mentions that the UNO folks felt need for a reviewer comment at every level (e.g. File Level, not just the Doc level)

Modeling

Next steps would be to do an instance diagram.

Kate suggests use case of Time 1.7 upstream getting consumed by Ubuntu who applies patches to it. http://archive.ubuntu.com/ubuntu/pool/main/t/time/

Items for discussion about the updated model

Document Relationship: the 'downstream' Document includes the relationship, and propose it carries the SHA-1 hash of the document it refers to. And optionally the digitally signed hash...

Specifier: let's get concrete about this...

Gary thinks Specifier is a pair of a URI plus some sort of checksum that can be used to validate what the URI refers to.

SPDXDoc can't have a Specifier inside itself. But SPDXElements / SPDXPackage / could reference a specifier.

Bill points out that Ed's Adopted Proposal indicates influence of Maven guys who do similar.

Perhaps our Spec / Best Practices can point to how we recommend people publish their public keys...

https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven

Here's an excerpt from that post talking about digital signatures:

Distribute Your Public Key

Since other people need your public key to verify your files, you have to distribute your public key to a key server:

   $ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys C6EED57A

Here I distributed my public key to hkp://pool.sks-keyservers.net, use --keyserver along with a key server address, and use --send-keys along with a keyid. You can get your keyid by listing the public keys.

Note

Public keys are synced among key servers, but it may take a while.

Now other people can import your public key from the key server to their local machines:

   $ gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys C6EED57A