THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Minutes/2014-02-04
Feb 4, 2014
Contents
Attendees
- Gary O’Neall
- Bill Schineller
- Jack Manbeck
- Michael Herzog
- Mark Gishi
- Scott Sterling
Agenda
- Review instance diagrams
- POM plugin efforts
Instance Diagram Review
- No updates since last meeting
- Plans for future instance diagrams:
- a 'distro' with a kernel + packages (e.g. Android)
- a java e.g. Hibernate scenario
- spdx of sources of whole github repo,
- spdx of binary jars (finer grained artifacts) they publish to maven (refer back to sources spdx)
- spdx of an application that uses jars (refers back to spdx's of binaries)
Apache Maven/ POM Plugin efforts
- Effort underway to create a Maven plugin which creates an SPDX file from a Maven POM file
- Reviewed issues from Maven mailing list
- Issue with using POM license info
- not always filled in
- not always accurate
- Feedback from Maven community is it would only be valuable if the code was scanned
- Discussed targeting the code originators and the value to the originators
- suggestion to use the SPDX standard license short names in the POM file
- Plugin currently uses the standard SPDX license URL's and there is some indication that Apache will use those URLs
- where in a Maven repo would .spdx file(s) best land?
- one per GAV?
- one per GAVCP C=Classifier e.g. binary vs. sources.jar P=Packaging e.g. war or jar
apache-servicemix-web-3.2.3.war <- the binary apache-servicemix-web-3.2.3.war.md5 <- md5 of the binary apache-servicemix-web-3.2.3.war.sha1 <- sha1 of the binary apache-servicemix-web-3.2.3.war.spdx <- SPDX of the binary
apache-servicemix-web-3.2.3.war.asc apache-servicemix-web-3.2.3.war.asc.md5 apache-servicemix-web-3.2.3.war.asc.sha1
apache-servicemix-web-3.2.3-sources.jar
apache-servicemix-web-3.2.3-sources.jar.md5
apache-servicemix-web-3.2.3-sources.jar.sha1
apache-servicemix-web-3.2.3.war.spdx <- SPDX of the sources (SCANNED)
- Apache Maven guys: anyone have connections with them to influence SPDX adoption?
- Here's a list of contributors to Maven https://www.ohloh.net/p/maven2/contributors?sort=latest_commit&time_span=12+months
- Maven License Plugin project we might join forces with? http://code.mycila.com/license-maven-plugin/
- Other organizations originating or assembling code will face similar issues as the Maven/POM - could use this as a good test case
Next Week
Next Week - Bill and Gary will not be on the call. Will check with Kate to see if we should have a call next week.