THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Technical Team/Minutes/2013-03-19

From SPDX Wiki
< Technical Team‎ | Minutes
Revision as of 19:47, 26 March 2013 by Goneall (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

General Upates:

Jack requests we walk through the website / wiki next time

Kate wants to start a draft of SPDX 2.0 documentation

Kate mentions that the UNO folks felt need for a reviewer comment at every level (e.g. File Level, not just the Doc level)

Modeling:

Next steps would be to do an instance diagram.

Kate suggests use case of Time 1.7 upstream getting consumed by Ubuntu who applies patches to it.  <a href="http://archive.ubuntu.com/ubuntu/pool/main/t/time/">http://archive.ubuntu.com/ubuntu/pool/main/t/time/</a>

 

Items for discussion about the updated model

Document Relationship:  the 'downstream' Document includes the relationship, and propose it carries the SHA-1 hash of the document it refers to.  And optionally the digitally signed hash...

Specifier: let's get concrete about this... 

Gary thinks Specifier is a pair of a URI plus some sort of checksum that can be used to validate what the URI refers to.

SPDXDoc can't have a Specifier inside itself.  But SPDXElements / SPDXPackage / could reference a specifier.

Bill points out that Ed's Adopted Proposal <a href="http://spdx.org/wiki/proposal-2012-mar-06-detached-signed-spdx-files">http://spdx.org/wiki/proposal-2012-mar-06-detached-signed-spdx-files</a>

indicates influence of Maven guys who do similar.

Perhaps our Spec / Best Practices can point to how we recommend people publish their public keys...

<a href="https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven">https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven</a>

 

Here's an excerpt from that post talking about digital signatures:

-----------

Distribute Your Public Key

Since other people need your public key to verify your files, you have to distribute your public key to a key server:

$ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys C6EED57A Here I distributed my public key to hkp://pool.sks-keyservers.net, use  --keyserver along with a key server address, and use --send-keys along with a keyid. You can get your keyid by listing the public keys.

Note

Public keys are synced among key servers, but it may take a while.

Now other people can import your public key from the key server to their local machines:

$ gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys C6EED57A

-----------